Article Title: explanation: How to Improve Nagios server security ?. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Nagios is a monitoring software that helps users quickly understand problems on the host and the Internet and can be configured to be used on any network. Installing the Nagios server on any Linux operating system is a very fast process, but it takes some effort to install it securely. This article will focus on how to improve Nagios's security, rather than explaining how to install Nagios, because there are too many similar articles.
You may wonder why you need to consider the security of Nagios servers? If Nagios is attacked, hackers will obtain a large amount of information. The examples below are all in the Ubuntu environment, but these examples can help users in any environment to improve the security of Nagios server, because the basic concepts are consistent.
Web Interface
If you follow the quick installation guide provided on the Internet to install Nagios, it is likely that only the web interface is installed, because Nagios uses Apache to display many other security options.
The following is an example of apache configuration on the Nagios web interface:
Options: ExecCGI AllowOverride: None Order allow: deny Allow from: all AuthName: "Nagios Access" AuthType: Basic AuthUserFile:/usr/local/nagios/etc/htpasswd. users Require: valid-user |
The "Allow from" option is used to specify that access permissions can only be provided to some IP addresses and/or networks. In the preceding example, all IP addresses are allowed to access the web interface. Other security options are used for authentication. "AuthType" defines which authentication type is used. There are only two types available: Basic or Digest. Basic) the user password and user name are submitted as plain text, while the Digest verification password is submitted as MD5 digest, which is obviously safer.
To improve security, we need to make the following changes:
Options: ExecCGI AllowOverride: None Order allow: deny Allow from: 192.168.4. AuthName: "Nagios Access" AuthType: Digest AuthDigestFile:/usr/local/nagios/etc/htpasswd. users Require: valid-user |
In this configuration, only the computer on the 192.168.4.0 network can access the web interface, and we now use Digest verification to replace the basic insecure verification method.
Now we need to add users and passwords that allow access to the web network, and use the following command to add new users for digest authentication:
# Htdigest-c/usr/local/nagios/etc/htpasswd. users realm username |
Digest verification is indeed more secure than Basic verification, but the best way to secure user names and passwords is to use SSL.
After any configuration changes, you must restart apache. The command is as follows :.
#/Etc/init. d/apache2 restart |
[1] [2] [3] Next page