Here is a collection of steps one might take when hardening an OP5 Monitor setup. This article is not an exhaustive list of steps, but rather a constant work in process.
Enable Merlin encryption
Starting with version 8.2.0 of OP5 Monitor the communication between Merlin nodes can be encrypted on an opt-in basis. See the documentation below:
Remove "test this check" permissions from groups that don't need it
The test this check functionality can provide a potential attack surface and should be limited only to the users that need it.
Go to Manage > Configure > Group rights and disable the following categories for users that shouldn't have these permissions:
- Host > Test This Host
- Service > Test This Service
- Command > Test This Command
Disallow dangerous characters in "test this check"
To make test this check more secure for the users that do need to be able to run it, you may want to disallow dangerous characters for these users.
Go to Manage > Configure > Group rights and enable the category:
- Misc > Disallow Dangerous Characters
Install a signed SSL certificate
You can follow this guide to install a new certificate from a proper certificate authority:
Disable non-encrypted SNMP versions
SNMPv3 has support for secure authentication as well as encrypted data transfer. Disable versions 1 and 2c which do not.
Modify /etc/snmp/snmpd.conf to comment the relevant lines:
#com2sec notConfigUser default securestring
#group notConfigGroup v1notConfigUser
#group notConfigGroup v2cnotConfigUser
Then restart snmpd.