Version
This article was written for version 0.4.4 of NSClient++. Versions 0.3.x and earlier of NSClient++ did not rely on the Windows Registry as heavily, so these notes would not apply. These instructions should work on later versions unless otherwise noted.
Articles in the Community-Space are not supported by op5 Support.
As per default encrypted communication with NRPE & NSClient++ is using ADH cipher (Anonymous Diffie Hellman) and a static predefined 512bit DH key.
To achieve a more secure encryption method with a better cipher, ability to disable SSLv2 & SSLv3, we need to create certificates, reconfigure the agent and upgrade check_nrpe used for NRPE checks in OP5 Monitor.
This HOWTO is focused on NSClient++ for Windows, but the same is also achievable with an upgraded version of NRPE.
First of this requires NSClient++ >= 0.4.x and NRPE >= 3.0.x since these are the versions where real SSL/TLS support was added to the agents and check_nrpe.
To start off, I've created self-signed certificate with a CA so I can easily add new hosts with unique client certificates in the future, to have the possibility to use certificate authentication between OP5 Monitor & hosts.
If you don't have a CA certificate in place in your organization, here's a small HOWTO: Create a self-signed CA & client certificate with OpenSSL
NSClient++
On the host I monitor and where I want to secure the communications to, I saved my certificate, private key & CA certificate in C:\Program Files\NSClient++\security.
Next step is to change some options for NSClient++.
Pro tip: See our HOWTO on how to change NSClient++ settings within Windows registry: Handling NSClient++ settings in the Windows Registry
All of these settings are located at /settings/NRPE/server within NSClient++ settings structure. Registry path: [HKEY_LOCAL_MACHINE\SOFTWARE\NSClient++\settings\NRPE\server]
| Settings name | Recommended value | Default value |
|---|---|---|
| allowed ciphers | ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH | ADH |
| ca | ${certificate-path}/rootCA.pem | UNDEFINED KEY |
| certificate | ${certificate-path}/client_name.pem | UNDEFINED KEY |
| certificate key | ${certificate-path}/klient.key | UNDEFINED KEY |
| dh | (empty) | ${certificate-path}/nrpe_dh_512.pem |
| insecure | false | true |
| ssl options | no-sslv2,no-sslv3 | UNDEFINED KEY |
Here's a quick explanation about each setting.
- allowed cipher - Here we change from only allowing ADH to allow all ciphers except ADH and some other insecure cipher methods, and then sort the ciphers based on strength with @STRENGTH.
- ca - Point to the ca-certificate, ${certificate-path} is by default pointing to C:\Program Files\NSClient++\security.
- certificate - Point to the client certificate.
- certificate key - Point to the private key that belongs to the client certificate.
- dh - Since we're going to stop using ADH with a static DH key, we simply remove this option.
- insecure - this setting is used because of legacy NRPE, since the next step is to upgrade and replace check_nrpe we change this to false
- ssl options - Here I'm adding no-sslv2 & no-sslv3 to disable the possibility to use these since they're considered to be insecure. Now we're only allowing TLSv1+
Don't forget to restart the NSClient++ service after the changes are done, or else they won't take effect.
check_nrpe v3
Since legacy check_nrpe (< 3.0.x) only have the possibility to use ADH cipher for encrypted communication, we need to compile a newer version to use for our checks.
These instructions are based on CentOS 6 which OP5 Monitor APS is based on (as of today when this HOWTO is written), equivalent steps are possible on other distributions i.e Debian.
Following packages need to be installed in order to compile check_nrpe.
| yum install -y gcc glibc glibc-common openssl-devel perl wget |
|---|
Let's go to tmp, download the latest version av nrpe (3.0.1 as of today when this HOWTO is written), and extract the compressed archive.
|
cd /tmp |
|---|
Next thing is to configure and compile check_nrpe. The compiled binary will be available in src/ directory, so let's copy the new version of check_nrpe to custom plugin directory of OP5 Monitor so we can configure custom checks in OP5.
|
cd nrpe-3.0.1 |
|---|
It's not possible to just replace the existing check_nrpe without changing / creating new checks. The reason is the -s flag that's used in all the default OP5 check_nrpe command checks, which forces encryption, now has a different purpose in version 3.0+.
I recommend that you create new custom command checks because the default ones shipped with OP5 Monitor might be reset & overwritten during an update.
To give an example, below check for CPU usage on Windows, I've only removed the -s flag from the original check command. This will work against your new NSClient++ setup, using TLSv1+ without ADH cipher.
| ./check_nrpe_v3 -H HOSTNAME/IP -c CheckCPU -a ShowAll=long MaxWarn=80% MaxCrit=90% |
|---|
And that's it, you're done and are now using a proper encrypted TLS connection between your OP5 Monitor and the monitored host. Compared to the legacy check_nrpe there are several new options and possibilities to specify settings for the encryption and even certificate based authentication.
|
NRPE Plugin for Nagios
Usage: check_nrpe -H <host> [-2] [-4] [-6] [-n] [-u] [-V] [-l] [-d <dhopt>]
Options: <host> = The address of the host running the NRPE daemon
NEW TIMEOUT SYNTAX
Note: |
|---|
Comments
0 comments
Please sign in to leave a comment.