A Secure Nagios Server

Advisories

Feature Articles

Need an in-depth introduction to a new security topic? Our features articles will bring up up-to-date on everything from buffer overflows to SE Linux policy development.

Discover LinuxSecurity Features

A Secure Nagios Server

Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.

 

 

Wkeys 
Bill Keys

Introduction

Nagios is a monitoring software designed to let you know about problems on your hosts and networks quickly. You can configure it to be used on any network. Setting up a Nagios server on any Linux distribution is a very quick process however to make it a secure setup it takes some work. This article will not show you how to install Nagios since there are tons of them out there but it will show you in detail ways to improve your Nagios security.

You may be wondering why should I need to think about securing my Nagios server? Well, think about the amount of information the attacker can get if they compromise it.

All the examples below assumes you are using Ubuntu. However these examples will help any user running a Nagios server to make it more secure since the concepts will still apply.

Web interface

If you installed Nagios with one of the quick start guides out there, chances are that you setup the web interface. Since Nagios uses Apache to display it there are many security options.

Below is an example of apache configuration for a Nagios web interface:

<Directory "/usr/local/nagios/share">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

The 'Allow from' option is used to provide access to only a certain IP address and/or network. The above example allows any IP address to access the web interface. The other security options are used for authentication. 'AuthType' defines the type of authentication being used. There are two types you can choose from Basic or Digest. Basic authentication will transmit your passwords and username as clear text. However using Digest the passwords are transmitted as MD5 digests which is more secure then in clear text.

After making some security improvement we get the below.

<Directory "/usr/local/nagios/share">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from 192.168.4.
AuthName "Nagios Access"
AuthType Digest
AuthDigestFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

Now only computers on the 192.168.4.0 network can have access to the web interface. Also we are now using Digest authentication instead of the insecure method of Basic authentication.

Now we need to add users and passwords to allow accesses to the web interface. To add a new user using digest authentication use the below command:

# htdigest -c /usr/local/nagios/etc/htpasswd.users realm username

Digest is more secure then Basic authentication but the best way keep your username and passwords safe is to use SSL.

Make sure that you restart apache if you make any configuration changes.

# /etc/init.d/apache2 restart

Best Practices

This sections lists some of the best security practices when setting up an Nagios server.

  • Don't Run Nagios As Root
  • There should be an normal user called nagios. If Nagios is running as root then if Nagios gets compromised then the attacker can do anything they want to your system.
  • Lock Down The Check Result Directory
  • Make sure that only nagios has read/write access to the check result directory otherwise an attacker can send fake host and service checks. This directory is normal at /usr/local/nagios/var/spool/checkresults
  • Use Full Paths In Command Definitions
  • When defining commands, make sure to specify the full path and not the relative one to any scripts or binaries you

Comments (0)

There are no comments posted here yet

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.