LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 08-06-2004, 11:10 AM   #1
Killbot_5000
LQ Newbie
 
Registered: Aug 2004
Location: Southern IL
Distribution: OpenSuSE 10.1
Posts: 24

Rep: Reputation: 15
Exclamation Nagios/nrpe: SSL Issues


I have set up two machines running Fedora Core 2. Nagios is installed and setup on both, with WebMIN and NagMIN. I am setting up a failover monitoring system, so if one Nagios machine goes down, the other one will find out and start monitoring the network.

In the Nagios documentation, it suggests using Nrpe (Nagios Remote Plugin Executor). A cronjob will call check_nrpe to tell the other Nagios machine to check the disk space or something through port 5666, where the host nrpe daemon is listening. When it returns with the data, the backup machine knows everything is fine, so it'll waits about 5 minutes and do it again, until it receives no response. At that time, the backup Nagios system will takeover the monitoring.

Where I am running into a problem is with SSL (I think). I have not written the cron job; I've just been running check_nrpe from the terminal. From the backup machine, I get the message Connection refused. This message appears immediately, which at first lead me to believe the network wasn't working. But the network is working fine. When I run the exact same check_nrpe line from the terminal of the primary machine, it says:

CHECK_NRPE: Error - Could not complete SSL handshake

I checked out the faq on the Nagios website (nagios.org).

And they had this to say:
===================================

Solution:

This error message could be due to several problems:

1. Different versions. Make sure you are using the same version of the check_nrpe plugin and the NRPE daemon. Newer versions of NRPE are usually not backward compatible with older versions.
2. SSL is disabled. Make sure both the NRPE daemon and the check_nrpe plugin were compiled with SSL support and that neither are being run without SSL support (using command line switches).
3. Incorrect file permissions. Make sure the NRPE config file (nrpe.cfg) is readable by the user (i.e. nagios) that executes the NRPE binary from inetd/xinetd.
4. Pseudo-random device files are not readable. Greg Haygood noted the following... "After wringing my hair out and digging around with truss, I figured out the problem on my Solaris 8 boxen. The files /devices/pseudo/random* (linked through /dev/*random, and provided by Sun patch 111238) were not readable by the nagios user I use to launch NRPE. Making the character devices world-readable solved it."

Dave van Nierop added that "Fortunately, for HPUX 11.i (11.11) and later Nagios users, HP now supports /dev/random and /dev/urandom via a kernel loadable module. Prior to running the NRPE 2.0 configure script, you will need to download this program from [HAD TO REMOVE URL FOR POST] Installation does require a server reboot. For detailed information, consult [REMOVED URL TO POST]

===================================

Now, I am pretty well a newbie. Though I think I have a good grasp of the problem, I am not aware of the possible solutions. I have checked the permissions, and they are fine. The program is the same version as the check_nrpe plugin. I would assume SSL would be set up by following the install instructions that come with it, since SSL is required to use it. And when I downloaded HPUX, it was a .depot file, which I am unaware how to open it. I'm very frustrated, and I cannot figure out how to progress.

Any insight would be greatly appreciated, or at least tutorials or faqs that would point me in the right direction.
 
Old 08-11-2004, 12:23 AM   #2
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
Killbot_5000,

I have no knowledge of nagios it self, but:

From the backup machine, I get the message Connection refused.
This probably means that the NRPE daemon is either not running, or not listening to the IP addess/port. Run "netstat -lp" on the primary machine and look for the daemon and the port. If you don't see it, make sure the all the programs are being started. Another option is that the firewall is blocking this.

2. SSL is disabled. Make sure both the NRPE daemon and the check_nrpe plugin were compiled with SSL support and that neither are being run without SSL support (using command line switches).
I'm assuming that you installed nagios by rpm. You can run "ldd <your daemon>" to see if it links against libssl.
You should also check the init script /etc/init.d/<something like nagios> (I'm not sure of the exact name, or if it even has an init script) or in your inetd configuration. Reread your configuration file to make sure SSL isn't being disabled.

You don't need the HPUX binary. It's for another operating system.

Good Luck,
chris
 
Old 08-11-2004, 08:50 AM   #3
Pastorino
Member
 
Registered: Jul 2004
Distribution: RHEL 6.2
Posts: 35

Rep: Reputation: 15
Is the mod_ssl package installed in your Fedora Core 2?
 
Old 08-11-2004, 08:57 AM   #4
Killbot_5000
LQ Newbie
 
Registered: Aug 2004
Location: Southern IL
Distribution: OpenSuSE 10.1
Posts: 24

Original Poster
Rep: Reputation: 15
I did what you said

It does not make a reference to libssl when I ldd nrpe. Nrpe comes with README.SSL, which states:

Quote:
NRPE With SSL/TLS

NRPE now has the option for Encrypting Network traffic using
SSL/TLS from openssl.

The Encryption is done using a set encryption routine of
AES-256 Bit Encryption using SHA and Anon-DH. This encrypts
all traffic using the NRPE sockets from the client to the server.

Since we are using Anon-DH this allows for an encrypted
SSL/TLS Connection without using pre-generated keys or
certificates. The key generation information used by the
program to dynaically create keys on daemon startup can be found
in the dh.h file in the nrpe src directory. This file was created
using the command:

openssl dhparam -C 512

which outputs the C code in dh.h. For your own security you can replace
that file with your own dhparam generated code.

As of this time you will need to have the latest greatest version of
OpenSSL (tested against version 0.9.7a) since not all versions have
the AES algorythm in them.

I am not aware that at this time this code is restricted under export
restrictions but I leave that verification process up to you.

Thoughts and suggestions are welcome and I can be reached on the
Nagios and NagiosPlug Mailing Lists.

- Derrick
I did not find anything restricting SSL in the config files. Also, I get the SSL handshake error from the box running NRPE when I run ./check_nrpe, but I get the connection refused error when I run it from the other machine. Wouldn't I get that error because the SSL handshake couldn't be completed? If it were just SSL, would I get the same error from both machines?

If anyone wants to download and install NRPE, which is only like 50k, I would greatly appreciate it. I don't believe Nagios has to be running for it to work, only if you want it to be useful.

I appreciate any help I can get. I'm stressing about this now, because I can't set up my distributed monitoring, so I had to set up a failover monitoring system by using a shell script that pings the nrpe box to see if its live. Of course, that won't do any good if Nagios crashes and the computer doesn't go down, or if its turned off.

Last edited by Killbot_5000; 08-11-2004 at 09:03 AM.
 
Old 08-11-2004, 09:18 AM   #5
Killbot_5000
LQ Newbie
 
Registered: Aug 2004
Location: Southern IL
Distribution: OpenSuSE 10.1
Posts: 24

Original Poster
Rep: Reputation: 15
mod_ssl?

How do I check that? I have ssl installed, but I don't know if mod_ssl is something I could have overlooked. I have Fedora Core 2 installed with SSL installed from the OS installation. I also downloaded the latest open_ssl to confirm that my current package was up to date.

So my answer to that is: I have open_ssl installed. If I didn't have to do anything special to installed mod_ssl, then its installed. If I would know if I had it installed (like I would have had to do, well, something special), then I definitely don't.

I hope I didn't confuse anyone with that little smidgen of half-mindless yammering.

Last edited by Killbot_5000; 08-11-2004 at 09:20 AM.
 
Old 08-12-2004, 12:18 AM   #6
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
OK,

You don't need mod_ssl, as it is the apache 1.x ssl module. You don't have to worry about this until you secure the nagios web interface. I don't think nrpe uses apache.

A "Connection refused" error would happen earlier in the process than a "SSL handshake" error. Unfortunately I don't know how check_nrpe would report the error as they can be related, see https://sourceforge.net/mailarchive/...msg_id=9046720 for a reverse problem.

Now on to your "SSL handshake" problem. If nrpe does not link against anything related to ssl, then it probably doesn't use ssl (it could be static linked). Try turning off ssl for check_npre to see if that works.

Your problem of "Connection refused" means nrpe is not listening to the expected IP:port combination. How is nrpe started, from inetd? run netstat -l to see what addresses it is listening to. You should see one with either your server IP address or 0.0.0.0.

Good Luck,
chris

edit: turn of smilies add postscript

PS: I believe anon-DH is susceptible to a man in the middle attack, make sure to secure your media. But so is a default ssh configuration, whatta ya goin' to do?

Last edited by bastard23; 08-12-2004 at 12:31 AM.
 
Old 08-23-2004, 04:04 PM   #7
Killbot_5000
LQ Newbie
 
Registered: Aug 2004
Location: Southern IL
Distribution: OpenSuSE 10.1
Posts: 24

Original Poster
Rep: Reputation: 15
Although I followed the instructions that came with NRPE, I think it may not be running.

When I do a chkconfig --list, it shows under Xinetd as being ON.

When I ps aux | grep nrpe, it doesn't show up.

When I try to start it manually, it does not produce any message, but I cannot grep the process either.

When I netstat -l, it doesn't show on the list.

Quote:
Running Under INETD or XINETD
-----------------------------

If you plan on running nrpe under inetd or xinetd and making use
of TCP wrappers, you need to do the following things:



1) Add a line to your /etc/services file as follows (modify the port
number as you see fit)

nrpe 5666/tcp # NRPE



2) Add entries for the NRPE daemon to either your inetd or xinetd
configuration files. Which one your use will depend on which
superserver is installed on your system. Both methods are described
below. NOTE: If you run nrpe under inetd or xinetd, the server_port
and allowed_hosts variables in the nrpe configuration file are
ignored.


***** INETD *****
If your system uses the inetd superserver WITH tcpwrappers, add an
entry to /etc/inetd.conf as follows:

nrpe stream tcp nowait <user> /usr/sbin/tcpd <nrpebin> -c <nrpecfg> --inetd

If your system uses the inetd superserver WITHOUT tcpwrappers, add an
entry to /etc/inetd.conf as follows:

nrpe stream tcp nowait <user> <nrpebin> -c <nrpecfg> --inetd


- Replace <user> with the name of the user that the nrpe server should run as.
Example: nagios
- Replace <nrpebin> with the path to the nrpe binary on your system.
Example: /usr/local/nagios/nrpe
- Replace <nrpecfg> with the path to the nrpe config file on your system.
Example: /usr/local/nagios/nrpe.cfg


***** XINETD *****
If your system uses xinetd instead of inetd, you'll probably
want to create a file called 'nrpe' in your /etc/xinetd.d
directory that contains the following entries:


# default: on
# description: NRPE
service nrpe
{
flags = REUSE
socket_type = stream
wait = no
user = <user>
server = <nrpebin>
server_args = -c <nrpecfg> --inetd
log_on_failure += USERID
disable = no
only_from = <ipaddress1> <ipaddress2> ...
}


- Replace <user> with the name of the user that the nrpe server should run as.
- Replace <nrpebin> with the path to the nrpe binary on your system.
- Replace <nrpecfg> with the path to the nrpe config file on your system.
- Replace the <ipaddress> fields with the IP addresses of hosts which
are allowed to connect to the NRPE daemon. This only works if xinetd was
compiled with support for tcpwrappers.



3) Restart inetd or xinetd will the following command (pick the
on that is appropriate for your system:

/etc/rc.d/init.d/inet restart

/etc/rc.d/init.d/xinetd restart


4) Add entries to your /etc/hosts.allow and /etc/hosts.deny
file to enable TCP wrapper protection for the nrpe service.
This is optional, although highly recommended.


I have followed these instructions exactly. Anything you guys can think of that would stop it from running?

Any help is greatly appreciated, as I feel I am making headway due to these suggestions.
 
Old 08-23-2004, 04:46 PM   #8
Killbot_5000
LQ Newbie
 
Registered: Aug 2004
Location: Southern IL
Distribution: OpenSuSE 10.1
Posts: 24

Original Poster
Rep: Reputation: 15
Ok, this is what I have found:

If NRPE is running (?) under Xinetd, I receive the message "Connection refused by host" and nothing is listening to port 5666 under netstat -lp.

If I chkconfig nrpe off, I can then start it as a standalone demon (./nrpe -c nrpe.cfg -d). If I netstat -lp, nrpe is listening to 5666. If I run ./check_nrpe now, I get "Cannot complete SSL handshake".

So I have two separate issues. I want NRPE to run under Xinetd, and I want to fix this SSL error.
 
Old 08-23-2004, 05:57 PM   #9
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
If "ldd npre" does not show libssl then the npre binary does not support a SSL connections (99% of the time). To verify, run the nrpe and check_nrpe programs w/o any arguments. This should print out something like:

$ ./nrpe

NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2003 Ethan Galstad (nagios@nagios.org)
Version: 2.0
Last Modified: 09-08-2003
License: GPL with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required

Notice SSL/TLS Available: as the should both have this.

If it isn't there, then you will need to rebuild the program. A default build of nrpe seems to find the ssl libs/headers just fine. Is this part of Fedora or downloaded seperately?

For the xinetd problem (not starting npre), you should post your entry in xinetd (/etc/xinetd/nrpe). Is xinetd running? Try /etc/init.d/xinetd status or /etc/init.d/xinetd restart

Good Luck,
chris
 
Old 09-02-2004, 03:30 AM   #10
nsi-f34r
LQ Newbie
 
Registered: Sep 2004
Posts: 2

Rep: Reputation: 0
Hi,

I have set-up nagios:

If you just want to monitor your nagios server , there is no need for nrpe. The only time that you might want to use nrpe is if you are monitoring services on other servers.

What I Did:

Download the following packages:

nagios-nrpe_2.0.orig.tar.gz ( suse has these on it's cd's)
nagios-plugins-1.3.1.tar.gz

When installing nagios-nrpe:

#cd nrpe.20
#./configure --enable-command-args **** There is issues on security, but im using authentication and im useing firewalls, so its ok for me
#make all
#mkdir /etc/nagios
#cp src/nrpe /etc/nagios
#cp nrpe.cfg /etc/nagios
#vi nrpe

make sure that the following is there:

server_port=5666
allowed_hosts=127.0.0.1,<nagios-central-servers-ip>

*************un-comment all of the following, this will be right at the bottom of the file:******************************

command[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$
command[check_load]=/usr/local/nagios/libexec/check_load -w $ARG1$ -c $ARG2$
command[check_disk]=/usr/local/nagios/libexec/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
command[check_procs]=/usr/local/nagios/libexec/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
command[check_procs]=/usr/local/nagios/libexec/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$

MAKE SURE THAT MOST SSL PACKAGES ARE INSTALLED:

Now start nrpe:

#/etc/nagios/nrpe -d -c /etc/nagios/nrpe.cfg

Now for the central server:

TESTING:

on the linux server pc, tail the log file!!!!!!!!!!!!!

go to the central nagios server and do the following:

#telnet <linux-server-ip> 5666

if you get

SUSE9:~ # telnet 192.96.150.10 5666
Trying 192.96.150.10...
Connected to 192.96.150.10.
Escape character is '^

Then you know that the remote server is listening, then try the following:

SUSE9:~ # /usr/lib/nagios/plugins/check_nrpe -H 192.96.150.10 -p 5666 -c "check_procs" -a 100 130 RSZDT
OK - 74 processes running with STATE = RSZDT



POSSIBLE ERRORS, when i run the same check from one of my other nagios servers, this is what i get:

g4t3d:~ # /usr/lib/nagios/plugins/check_nrpe -H 192.96.150.11 -p 5666 -c "check_procs" -a 100 130 RSZDT
CHECK_NRPE: Error - Could not complete SSL handshake.

proxy:/var/log # tail -f messages
Sep 2 10:33:22 proxy nrpe[25690]: Host 192.96.150.214 is not allowed to talk to us!


The reason is obvious, in the nrpe.cfg file, the allowed hosts doesnt have my second nagios server ipaddress.

I hope that this is enough help, if there are any questions , i should be able to answer anyother questions regarding this issue.
 
Old 09-02-2004, 04:00 AM   #11
nsi-f34r
LQ Newbie
 
Registered: Sep 2004
Posts: 2

Rep: Reputation: 0
Why dont you just run nrpe as a daemon?
 
Old 09-02-2004, 01:53 PM   #12
Killbot_5000
LQ Newbie
 
Registered: Aug 2004
Location: Southern IL
Distribution: OpenSuSE 10.1
Posts: 24

Original Poster
Rep: Reputation: 15
I got nrpe working before the latest post. Thanks for all the help provided to me. I do have a question to nsi-f34r:

Do you have problems with the permissions on the external command file? Unless I set the permissions to 777, I can't do anything in Nagios that requires use of the external command file. I have changed the permissions on this file repeatedly. I have set the owner/group to root, nagios, and nagadmin (the web-login for nagios) and everytime it tells me that the permissions are wrong and to go back from whence I came.

Of course, if I set the permissions wide open, it works, and even though its not on a public ip of any sort, I still don't feel comfortable leaving it wide open.

I know this issue is COMPLETELY unrelated, so if you want to respond to it, go to this post on the squareBOX Nagios forum:

http://alpha.square-box.com/index.ph...art=0#msg_6856

And thanks for the help!
 
Old 10-03-2004, 11:37 AM   #13
dallasnewbie
LQ Newbie
 
Registered: Apr 2003
Location: dallas, texas
Distribution: rhel3 and fc2
Posts: 12

Rep: Reputation: 0
nrpe

killbot, what did you do to get it working. i followed nsi-f34r's post and i am now getting the ssl handshake error. i was getting connection refused and when i checked nrpe was not listening. it is now and the ssl error.
 
Old 10-03-2004, 12:10 PM   #14
Killbot_5000
LQ Newbie
 
Registered: Aug 2004
Location: Southern IL
Distribution: OpenSuSE 10.1
Posts: 24

Original Poster
Rep: Reputation: 15
I got nrpe working by recompiling it without SSL support. See the SSL readme file that came with it.

That's honestly all I did differently from his post, because I was getting the same exact thing. Also, make sure the port you are using is open and the ip address is authorized in your nrpe.cfg file. If you need more info on it, then I'll have to post again tomorrow, when I am back at the office so I can look at my notes.
 
Old 10-07-2004, 04:58 PM   #15
itaria
LQ Newbie
 
Registered: Oct 2004
Posts: 1

Rep: Reputation: 0
Hi! I installed nrpe in one machine, but I try install in other with the same steps and is impossible. I read /var/log/messages, but don't show me nothing
I read /var/log/daemon.log, in this archive send this message "Unable to open config file '//nrpe.cfg' f
or reading. Config file '//nrpe.cfg' contained errors
, bailing out..." I check the permissions and don't have problem. When I try run the command send "CHECK_NRPE: Error - Could not complete SSL handshake."
What can I do?
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Nagios Event Handler not running - NRPE: Unable to read output notque Linux - Software 7 04-05-2013 06:27 AM
Nagios Addon NRPE didnt start? dwarf007 Linux - Software 3 04-27-2011 01:38 AM
Nagios NRPE twantrd Linux - Software 1 10-20-2004 08:24 AM
ssl issues dannyk1 Linux - Newbie 5 09-24-2004 07:50 PM
prelude IDS and ssl issues Olusegun Linux - Security 3 08-21-2004 12:15 PM


All times are GMT -5. The time now is 10:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration