How to Improve Nagios server security

Nagios is a monitoring software that helps users quickly understand problems on the host and the Internet and can be configured to be used on any network. Installing the Nagios server on any Linux operating system is a very fast process, but it takes some effort to install it securely. This article will focus on how to improve Nagios's security, rather than explaining how to install Nagios, because there are too many similar articles.

You may wonder why you need to consider the security of Nagios servers? If Nagios is attacked, hackers will obtain a large amount of information. The examples below are all in the Ubuntu environment, but these examples can help users in any environment to improve the security of Nagios server, because the basic concepts are consistent.

Web Interface

If you follow the quick installation guide provided on the Internet to install Nagios, it is likely that only the web interface is installed, because Nagios uses Apache to display many other security options.

The following is an example of apache configuration on the Nagios web interface:

Options: ExecCGI
AllowOverride: None
Order allow: deny
Allow from: all
AuthName: "Nagios Access"
AuthType: Basic
AuthUserFile:/usr/local/nagios/etc/htpasswd. users
Require: valid-user

The "Allow from" option is used to specify that access permissions can only be provided to some IP addresses and/or networks. In the preceding example, all IP addresses are allowed to access the web interface. Other security options are used for authentication. "AuthType" defines which authentication type is used. There are only two types available: Basic or Digest. Basic) the user password and user name are submitted as plain text, while the Digest verification password is submitted as MD5 digest, which is obviously safer.

To improve security, we need to make the following changes:

Options: ExecCGI
AllowOverride: None
Order allow: deny
Allow from: 192.168.4.
AuthName: "Nagios Access"
AuthType: Digest
AuthDigestFile:/usr/local/nagios/etc/htpasswd. users
Require: valid-user

In this configuration, only the computer on the 192.168.4.0 network can access the web interface, and we now use Digest verification to replace the basic insecure verification method.

Now we need to add users and passwords that allow access to the web network, and use the following command to add new users for digest authentication:

# Htdigest-c/usr/local/nagios/etc/htpasswd. users realm username

Digest verification is indeed more secure than Basic verification, but the best way to secure user names and passwords is to use SSL.

After any configuration changes, you must restart apache. The command is as follows :.

#/Etc/init. d/apache2 restart

Best practices

This section describes the best security practices for installing the Nagios server, as follows:

· Do not run Nagios as root. A common user named nagios is required. If Nagios runs as the root user, when Nagios is under attack, attackers can do whatever they want ..

· Lock Check Result Directory. Make sure that only nagios users have read/write permissions on the check result directory. Otherwise, attackers may send forged host and service check results. This directory is usually located: /usr/local/nagios/var/spool/checkresults.

· Use the full path in Command Definitions. When defining a command, specify the complete path, rather than the path related to any script or binary being executed.

· Protect remote proxy security. Remote proxy includes NRPE, NSClient, and SNMP. Next we will introduce how to protect NRPE remote proxy.

Remote proxy Protection)

This section describes how to ensure the security of NRPE. This remote proxy is used to execute check programs (check loads or disk usage) on the remote host. We do not want any programs or users to execute commands on the remote host, therefore, it is very important to ensure the security of NRPE.

Because NRPE comes with TCP wrappers support, we can define which hosts are allowed to access NRPE:

/Etc/hosts. allow
Nrpe: 192.168.1.91
In the above example, only 192.168.1.91 can use this remote proxy on this host. You can replace 192.168.1.91 with the IP address of your Nagios client. Please note that this proxy should be used on both your Nagios server and client.

NRPE cannot be run as root or any other superuser. It can only be run as a nagios user in the nagios user group. It can be run in/etc/nagios/nrpe. check whether NRPE runs as nagios at the cfg position:

Part of/etc/nagios/nrpe. cfg
Nrpe_user = nagios
Nrpe_group = nagios

Another part of NRPE may also become a security vulnerability, that is, allow command arguments. Of course, we do not want attackers to attack our system by sending malicious arguments. Sometimes it is necessary to allow Nagios to send command arguments. However, if you do not need to enable this function most of the time, you must disable it.

To disable this function, edit/etc/nagios/nrpe. cfg and make sure that you execute the following command:

Dont_blame_nrpe = 0

You must restart nrpe. cfg after making any configuration changes.