LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 21st, 2014
Linux Security Week: April 7th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
A Secure Nagios Server Print E-mail
User Rating:      How can I rate this item?
Source: www.linuxsecurity.com - Posted by Administrator   
Features Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.


Bill Keys
Introduction

Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.

You may be wondering why should I need to think about securing my Nagios server? Well, think about the amount of information the attacker can get if they compromise it.

All the examples below assumes you are using Ubuntu. However these examples will help any user running a Nagios server to make it more secure since the concepts will still apply.

Web interface

If you installed Nagios with one of the quick start guides out there, chances are that you setup the web interface. Since Nagios uses Apache to display it there are many security options.

Below is an example of apache configuration for a Nagios web interface:


Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

The 'Allow from' option is used to provide access to only a certain IP address and/or network. The above example allows any IP address to access the web interface. The other security options are used for authentication. 'AuthType' defines the type of authentication being used. There are two types you can choose from Basic or Digest. Basic authentication will transmit your passwords and username as clear text. However using Digest the passwords are transmitted as MD5 digests which is more secure then in clear text.

After making some security improvement we get the below.


Options ExecCGI
AllowOverride None
Order allow,deny
Allow from 192.168.4.
AuthName "Nagios Access"
AuthType Digest
AuthDigestFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

Now only computers on the 192.168.4.0 network can have access to the web interface. Also we are now using Digest authentication instead of the insecure method of Basic authentication.

Now we need to add users and passwords to allow accesses to the web interface. To add a new user using digest authentication use the below command:

# htdigest -c /usr/local/nagios/etc/htpasswd.users realm username

Digest is more secure then Basic authentication but the best way keep your username and passwords safe is to use SSL.

Make sure that you restart apache if you make any configuration changes.

# /etc/init.d/apache2 restart
Best Practices

This sections lists some of the best security practices when setting up an Nagios server.

  • Don't Run Nagios As Root
  • There should be an normal user called nagios. If Nagios is running as root then if Nagios gets compromised then the attacker can do anything they want to your system.
  • Lock Down The Check Result Directory
  • Make sure that only nagios has read/write access to the check result directory otherwise an attacker can send fake host and service checks. This directory is normal at /usr/local/nagios/var/spool/checkresults
  • Use Full Paths In Command Definitions
  • When defining commands, make sure to specify the full path and not the relative one to any scripts or binaries you’re executing.
  • Secure Remote Agents
  • Some example are NRPE, NSClient, and SNMP. Below we will look at steps to secure the NRPE remote agent.


Secure Remote agents

This sections we will look at ways you can make NRPE more secure. This remote agent is used to execute programs on an remote host for doing checks like the load or disk usage. Since we don't want any programs or users being able to execute commands on our remote machines it's important to spend some time to make NRPE more secure.

Since NRPE come with support for TCP wrappers we can define which hosts have access to it.

Example /etc/hosts.allow

nrpe:192.168.1.91

This will allow only 192.168.1.91 to be able to use this remote agent on this host. You should replace this with the IP address of your Nagios client. Note this should be used on both your Nagios server and client.

NRPE should never run as root or any other superusers it should only be run as a nagios user in the group nagios. In /etc/nagios/nrpe.cfg you can check weather or not it's running as nagios.

Example part of /etc/nagios/nrpe.cfg

nrpe_user=nagios
nrpe_group=nagios

Another part of NRPE that can be a security hole is allowing command arguments. We don't want attacks to send malicious arguments that can compromise our system. Some times we need to allow Nagios to send command arguments but if you don't need it to be enable which most times they are not needed then you should definitely disable them.

To disable them edit /etc/nagios/nrpe.cfg and make sure that you have the below line:

dont_blame_nrpe=0

Make user you restart nrpe to if you make any changes to nrpe.cfg. For more information on how to secure NRPE please read the file called SECURITY in the packages source file.

Secure Communication channels

Any time you communicate over a network you should be thinking about how can I make this more secure. This is where SSL is needed.

NRPE allows you to enable it to use SSL but your package must have configured it with the –enable-ssl option. If NRPE is configured to use SSL note, both the client and the server instance must have it enabled to work.

Next we should also configure SSL so that we don't send our web interfaces passwords in clear text.

# openssl genrsa -des3 -out server.3des-key 1024
# openssl rsa -in server.3des-key -out server.key
# openssl req -new -key server.key -x509 -out server.crt -days 365
# chmod 600 server.key
# rm server.3des-key
# mv server.crt /etc/ssl/
# mv server.key /etc/ssl/private/

Now that we have generated our certificate we need to tell Apache to use them.

In your Apache configuration you will need to add the SSLRequireSSL options for example:


SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from 192.168.4.
AuthName "Nagios Access"
AuthType Digest
AuthDigestFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

Remember to restart Apache.

# /etc/init.d/apache2 restart
Where to go from here?

Now you should feel confident that your Nagios server is more secure from attack. The next step is to just install security updates when they are released.

Resources

Comments
this was exactly the info I neededWritten by anonymous on 2008-11-12 03:46:00
I installed and configured nagios a few days ago on a CentOS box, and the infos in the article are to harden both the nagios server and the clients are helpful, because out of the rpmforge package the settings have not been optimal regarding the points mentioned in the article 
 
Thanks a lot
Great articleWritten by sandeeprhce5 on 2008-12-09 05:50:59
i appreciate this article. It contains whole thins that i want to know. Thanks
Completes my documentation nicely!Written by Ed on 2008-12-15 08:39:15
Very nice documentation. I had been looking for a clear way to use SSL, your article does just that. 
Thank you. 
zeroWritten by zero on 2008-12-19 04:36:14
good
Excellent AdviceWritten by anonymous on 2009-03-10 09:42:24
Thanks for this article it is an important topic and was very helpful. 
 
I have however had some trouble getting the digest authentication to work, so for the potential benefit of others experiencing similar problems... 
 
I'm using openSUSE 11 and Apache 2.2.8 
 
I have configured the nagios.conf: 
 
Options None 
AllowOverride None 
Order allow,deny 
Allow from all 
AuthName "Nagios Access" 
AuthType Digest 
AuthDigestDomain /nagios/ 
AuthDigestProvider file 
AuthUserFile  
Require valid-user 
 
 
Ammended the /etc/sysconfig/apache2 to include the apache module 'auth_digest'. 
 
Checked the file permissions on the password file to make sure it can be used. 
 
Tried including the IE Apache fix (BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On). 
 
Used Firefox instead and still no joy. 
 
Still can't get it to accept the password I have set using the htdigest2 command. 
 
I'll keep trying though! Probably missing something obvious but I havent found it yet whatever it is =) 
 
 
 
Found itWritten by anonymous on 2009-03-10 11:16:17
Got it working. 
 
This may be simple for most of you folks but here it is for the ones who don't know.. 
 
When I was using the command 
htdigest2 -c  
 
Make sure the is exactly the same as the name you define in the Apache .conf file (its case sensitive): 
AuthName "Nagios Access" 
Edit cus this doesnt appear to like anglWritten by anoymous on 2009-03-10 11:18:12
When I was using the command  
htdigest2 -c filename realm username 
 
Make sure the realm is exactly the same as the name you define in the Apache .conf file (its case sensitive):  
AuthName "Nagios Access"

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.