nrpe on ssl
Tom Yates
madlists at teaparty.net
Fri May 25 11:33:21 CEST 2012
On Thu, 24 May 2012, Axel wrote:
> You can use tcpdump and wireshark to check the tcp and ssl handshake.
as axel says, this is the best way to be *sure* it's happening under cover
of SSL. in case you want to see it done, here's one happening under SSL:
[user at www ~]$ sudo tcpdump -n -n -A port 5666
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:23:11.568787 IP 78.31.111.49.45411 > 193.219.118.100.5666: S 1958463879:1958463879(0) win 14600 <mss 1460,sackOK,timestamp 318187570 0,nop,wscale 5>
E..<.. at .9.jvN.o1..vd.c."t.........9..w.........
..(2........
10:23:11.568816 IP 193.219.118.100.5666 > 78.31.111.49.45411: S 4064423968:4064423968(0) ack 1958463880 win 5792 <mss 1460,sackOK,timestamp 3184336621 318187570,nop,wscale 7>
E..<.. at .@.E,..vdN.o1.".c.B0 t..................
......(2....
10:23:11.574693 IP 78.31.111.49.45411 > 193.219.118.100.5666: . ack 1 win 457 <nop,nop,timestamp 318187571 3184336621>
E..4.. at .9.j}N.o1..vd.c."t....B0!....?Q.....
..(3....
10:23:11.575019 IP 78.31.111.49.45411 > 193.219.118.100.5666: P 1:78(77) ack 1 win 457 <nop,nop,timestamp 318187571 3184336621>
E..... at .9.j/N.o1..vd.c."t....B0!...........
..(3........H...D..O.OH...`+.%.Kp.gOG.
10:23:11.575036 IP 193.219.118.100.5666 > 78.31.111.49.45411: . ack 78 win 46 <nop,nop,timestamp 3184336628 318187571>
E..4.. at .@..b..vdN.o1.".c.B0!t....... at ......
......(3
10:23:11.576362 IP 193.219.118.100.5666 > 78.31.111.49.45411: P 1:240(239) ack 78 win 46 <nop,nop,timestamp 3184336629 318187571>
E..#.. at .@..r..vdN.o1.".c.B0!t.......z9.....
......(3....Q...M..O.O.f...F..Xc:..3h~
10:23:11.581549 IP 78.31.111.49.45411 > 193.219.118.100.5666: . ack 240 win 490 <nop,nop,timestamp 318187572 3184336629>
E..4.. at .9.j{N.o1..vd.c."t....B1.....=......
..(4....
as you can see, the ASCII-rendered contents look like gibberish. here's
one *not* happening under SSL:
[user at www ~]$ sudo tcpdump -n -n -A port 5666
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:27:50.403064 IP 78.31.111.49.45449 > 193.219.118.100.5666: S 2022207245:2022207245(0) win 14600 <mss 1460,sackOK,timestamp 318215453
0,nop,wscale 5>
......9............d..."x.o
............
10:27:50.403095 IP 193.219.118.100.5666 > 78.31.111.49.45449: S 1624596014:1624596014(0) ack 2022207246 win 5792 <mss 1460,sackOK,timestamp 3184615495 318215453,nop,wscale 7>
E..<.. at .@.E,..vdN.o1."..`.^.x.o......L.........
..`G........
10:27:50.408395 IP 78.31.111.49.45449 > 193.219.118.100.5666: . ack 1 win 457 <nop,nop,timestamp 318215454 3184615495>
E..4.. at .9.R"N.o1..vd..."x.o.`.^/....J......
......`G
10:27:50.409395 IP 78.31.111.49.45449 > 193.219.118.100.5666: P 1:1037(1036) ack 1 win 457 <nop,nop,timestamp 318215454 3184615495>
E.. at ..@.9.N.N.o1..vd..."x.o.`.^/....:......
......`G........i7check_mysql.........
10:27:50.410281 IP 193.219.118.100.5666 > 78.31.111.49.45449: . ack 1037 win 62 <nop,nop,timestamp 3184615502 318215454>
E..4>b at .@.....vdN.o1."..`.^/x.s....>Hf.....
..`N....
10:27:50.427262 IP 193.219.118.100.5666 > 78.31.111.49.45449: P 1:1037(1036) ack 1037 win 62 <nop,nop,timestamp 3184615519 318215454>
E..@>c at .@.....vdN.o1."..`.^/x.s....>^......
..`_........d=.d..QUERY OK: 'select *
note the name of the check (check_mysql) and the result (QUERY OK...)
being passed back in plaintext.
--
Tom Yates - http://www.teaparty.net
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list