Improve security with Nagios-Monitor-Server: Difference between revisions
Line 389: | Line 389: | ||
<code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code> | <code> /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress </code> | ||
<span style="color:#FF0000"> | |||
* To make the handshake: | |||
<code> nano /usr/local/nagios/etc/services </code> | |||
* add the following next to the chech_nrpe services | |||
<code> -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl//client_certs/client_cert.pem -K /usr/local/nagios/etc/ssl/client_certs/client_cert.key </code> | |||
<code> service nagios restart </code> | |||
To check the logs from the agent side | |||
<code> tail -f /var/log/syslog </code> | |||
Make sure that server IP address in the nrpe.cfg | |||
<code> cd /usr/local/nagios/etc </code> | |||
<code> nano nrpe.cfg </code> | |||
In line 106 | |||
Put the server IP address | |||
=Summary= | =Summary= |
Revision as of 11:11, 7 January 2018
Author: Mohanad Aly
Cyber Security Engineering (C21)
Page Created: 25 November 2017
Last modified: 25 November 2017
Introduction
This article introduces the Monitoring application called Nagios.
Monitoring
Monitoring is the process of keep tracking of system resources.
Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.[1] Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes. Monitoring is used to:
- Check performance
- Detect if something worth noticing happened
- Prevent something to happen
- Detect whether a system is under attack and that is the most important part for the cyber security
Nagios Monitoring system
Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. [2]
Monitoring is made of three components:
Software | Version |
---|---|
Apache | 1.3.12 or later |
PHP | 5.0 or later |
MySQL php-mysql | 3.22 or later |
The main advantages of Nagios
- Open-source
- Customized Dashboards
- Ease of Use
- Infinite Scalability
- Data in Real Time
- Network Security
Why monitoring is important for cyber security
- First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)What is CIA, and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
- Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
- Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
- Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
- Fifth the debugging, when system have error the monitor tool should have a readable debugging..
Setting up Nagios
In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.
Prerequisites
Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.
This tutorial describes the commands and configuration to make the services work together Nagios.
- It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:
Command
sudo apt update
sudo apt upgrade
Installing the prerequisites
- The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.
Begin with the commands:
sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip
User and group configuration
useradd nagios
groupadd nagcmd
usermod -a -G nagcmd nagios
usermod -a -G nagios,nagcmd www-data
Download and extract the Nagios core
wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz
Extract the file
tar -xzf nagios*.tar.gz
System administrator need to configure it with the user and the group you have created earlier
./configure --with-nagios-group=nagios --with-command-group=nagcmd
make all
make install
make install-commandmode
make install-init
make install-config
/usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf
Copy even-handler directory to the nagios directory
cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/
chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers
Install the Nagios Plugins
wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz
Extract it
tar -xzf nagios-plugins*.tar.gz
Install the Nagios plugin's with the commands below
./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl
make
make install
System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano
nano -c /usr/local/nagios/etc/nagios.cfg
uncomment line 51 for the host monitor configuration.
Save and exit.
Add a new folder named servers.
mkdir -p /usr/local/nagios/etc/servers
Change the user and group for the new folder to Nagios:
chown nagios:nagios /usr/local/nagios/etc/server
Enable Apache modules
sudo a2enmod rewrite
sudo a2enmod cgi
System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface
sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin
Enable the Nagios virtualhost
sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable
Start Apache
service apache2 restart
When Nagios starts, you may see the following error Starting nagios (via systemctl): nagios.serviceFaile System administrator can fix with the following
cd /etc/init.d/
cp /etc/init.d/skeleton /etc/init.d/nagios
nano /etc/init.d/nagios
Paste this code at the end of the file
DESC="Nagios" NAME=nagios DAEMON=/usr/local/nagios/bin/$NAME DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg" PIDFILE=/usr/local/nagios/var/$NAME.lock
Make it executable and start Nagios
chmod +x /etc/init.d/nagios
service apache2 restart
Still it there is another process to fix the issue
First we are going to create/change the nagios.service
nano /etc/systemd/system/nagios.service
Paste the following code of the file
[Unit] Description=Nagios BindTo=network.target [Install] WantedBy=multi-user.target [Service] User=nagios Group=nagios Type=simple ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg
System administrator need to enable created nagios.service config
systemctl enable /etc/systemd/system/nagios.service
service nagios start
To check the service is working
$ service nagios status
- Open web browser and YOURIPADDRESS/nagios
Enable the encryption Front-end Web
SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.
Enable the module by typing:
sudo a2enmod ssl
Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making
sudo mkdir /etc/apache2/ssl
Now that we have a location to place our key and certificate, we can create them both in one step by typing
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Country Name (2 letter code) [AU]:EE State or Province Name (full name) [Some-State]:Harjumaa Locality Name (eg, city) []:Tallinn Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company Organizational Unit Name (eg, section) []:Head Common Name (e.g. server FQDN or YOUR name) []: domain.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
- openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
- req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
- -x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
- -nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
- -days 365: This specifies that the certificate we are creating will be valid for one year.
- -newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
- -keyout: This parameter names the output file for the private key file that is being created.
- -out: This option names the output file for the certificate that we are generating.
Open the file with root privileges now:
sudo nano /etc/apache2/sites-available/default-ssl.conf
<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin admin@example.com ServerName your_domain.com ServerAlias www.your_domain.com DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on ----> SSLCertificateFile /etc/apache2/ssl/apache.crt ----> SSLCertificateKeyFile /etc/apache2/ssl/apache.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> </IfModule>
SSL-enabled virtual host
sudo a2ensite default-ssl.conf
Restart Apache to load our new virtual host file
service apache2 restart
Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:
https://server_domain_name_or_IP
This to solve the problem to enable the ssl
nano 000-default.conf
# Special virtulhost only for redirecting <VirtualHost *:80> ServerName Redirect "/" "https://Nagios-server/" </VirtualHost>
Enable the encryption between the server and the agent
The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.
- Setup Directories:
cd /usr/local/nagios/etc/
mkdir ssl
chown root:nagios ssl
mkdir ca nagios_server_certs client_certs
chown root:nagios *
mkdir ./demoCA
mkdir ./demoCA/newcerts
cd ./demoCA
touch index.txt
echo '1000' Angle brackets serial
- Create Certificate Authority
openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650
- NRPE Client Certificate
cd /usr/local/nagios/etc/ssl/client_certs/
openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes
- Sign this certificate request by our CA:
openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem
Copy NRPE Client Certificates to the agent:
1- First you can make it with sftp://user@IP
Or you can copy it with secure copy
scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/
scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/
scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/
- Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg
nano nrpe.cfg
- In line 238 uncomment:
ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key
- restart nrpe:
service nrpe restart
- Don't forgot to uncomment the follow:
1- ssl_logging=0xff
2 ssl_client_certs=2
check_nrpe Plugin Certificate
cd /usr/local/nagios/etc/ssl/nagios_server_certs/
openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes
cd /usr/local/nagios/etc/ssl/
openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem
- Using Certificates With check_nrpe Plugin
/usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress
- To make the handshake:
nano /usr/local/nagios/etc/services
- add the following next to the chech_nrpe services
-A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl//client_certs/client_cert.pem -K /usr/local/nagios/etc/ssl/client_certs/client_cert.key
service nagios restart
To check the logs from the agent side
tail -f /var/log/syslog
Make sure that server IP address in the nrpe.cfg
cd /usr/local/nagios/etc
nano nrpe.cfg
In line 106 Put the server IP address
Summary
Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. Nagios-main-documentation.
See also
Nagios installation by Cyber-Tect-Tips
1- Nagios-Server-Installation Step one
2- Nagios-Agent configuration using NRPE plugin - Step two
3- Nagios-Agent send checks to Nagios-Server - Step three
4- Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)
5- Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step
6- NRPE - v3 Enhanced Security
7- NRPE - CHECK_NRPE: Error - Could Not Complete SSL Handshake
References
2- CIA