Difference between revisions of "Improve security with Nagios-Monitor-Server"

From ICO wiki
(See also)
(Setting up Nagios)
Line 208: Line 208:
  
 
<code> systemctl enable /etc/systemd/system/nagios.service </code>
 
<code> systemctl enable /etc/systemd/system/nagios.service </code>
 +
 
<code> service nagios start </code>
 
<code> service nagios start </code>
  

Revision as of 11:09, 7 January 2018

Nagios monitoring system

Author: Mohanad Aly

Cyber Security Engineering (C21)

Page Created: 25 November 2017

‎Last modified: ‎25 November 2017


Introduction

This article introduces the Monitoring application called Nagios.

Monitoring

Monitoring is the process of keep tracking of system resources.

Monitoring is the process of observing and checking the progress or quality of something over a period of time; keep under systematic review.[1] Monitoring cannot be achieved without logging. That is the reason integrated solutions combine the two processes. Monitoring is used to:

  • Check performance
  • Detect if something worth noticing happened
  • Prevent something to happen
  • Detect whether a system is under attack and that is the most important part for the cyber security

Nagios Monitoring system

Nagios now known as Nagios Core, is a free and open source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved. [2]

Monitoring is made of three components:


Software Version
Apache 1.3.12 or later
PHP 5.0 or later
MySQL php-mysql 3.22 or later

The main advantages of Nagios

  • Open-source
  • Customized Dashboards
  • Ease of Use
  • Infinite Scalability
  • Data in Real Time
  • Network Security

Why monitoring is important for cyber security

  • First thing is important for the cyber security professional is the CIA (Confidentiality, Integrity and Availability)What is CIA, and to get to the standards we need to implement the tools that provides the security for our data and servers that hosting the data.
  • Second system administrator need tools to react when something happened to the server, so system administrator need real time checks to make sure that everything is working in order.
  • Third Monitoring tools alerts should be readable for the administrator and fast, when something happened to the server or the service the monitoring tool should send the alerts in the exact time to give the administrator the time to fix it.
  • Fourth the attacks and threats which is more difficult to the system administrator to figure out what is going in the server, and the monitoring tools should has the detection solution for the common attacks.
  • Fifth the debugging, when system have error the monitor tool should have a readable debugging..

Setting up Nagios

In the following tutorial, Ubuntu 16.04 64-bit distribution will be used LTS.

Prerequisites

Ubuntu Linux machine, sudo access and some Linux beginner skills are needed.


This tutorial describes the commands and configuration to make the services work together Nagios.

  • It is important to have the latest package lists to update them to get info on the newest versions of packages and their dependencies. So we need to run the following command to update them:

Command sudo apt update sudo apt upgrade

Installing the prerequisites

  • The server has the ability to check standard networking services (HTTP, FTP, SMTP, IMAP etc) without the need to install extra software on the monitored hosts.

Begin with the commands:

sudo apt install wget build-essential apache2 php apache2-mod-php7.0 php-gd libgd-dev sendmail unzip

User and group configuration

useradd nagios groupadd nagcmd usermod -a -G nagcmd nagios usermod -a -G nagios,nagcmd www-data

Download and extract the Nagios core

wget https://assets.nagios.com/downloads/nagioscore/releases/nagios-4.2.0.tar.gz

Extract the file tar -xzf nagios*.tar.gz

System administrator need to configure it with the user and the group you have created earlier


./configure --with-nagios-group=nagios --with-command-group=nagcmd make all make install make install-commandmode make install-init make install-config /usr/bin/install -c -m 644 sample-config/httpd.conf /etc/apache2/sites-available/nagios.conf


Copy even-handler directory to the nagios directory

cp -R contrib/eventhandlers/ /usr/local/nagios/libexec/ chown -R nagios:nagios /usr/local/nagios/libexec/eventhandlers

Install the Nagios Plugins

wget https://nagios-plugins.org/download/nagios-plugins-2.1.2.tar.gz

Extract it

tar -xzf nagios-plugins*.tar.gz


Install the Nagios plugin's with the commands below ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-openssl make make install

System administrator can find the default configuration of Nagios in /usr/local/nagios/. to configure Nagios and Nagios contact. Edit default Nagios configuration with nano

nano -c /usr/local/nagios/etc/nagios.cfg uncomment line 51 for the host monitor configuration. Save and exit.

Add a new folder named servers. mkdir -p /usr/local/nagios/etc/servers

Change the user and group for the new folder to Nagios: chown nagios:nagios /usr/local/nagios/etc/server

Enable Apache modules sudo a2enmod rewrite sudo a2enmod cgi

System administrator can use the htpasswd command to configure a user nagiosadmin for the Nagios web interface

sudo htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

Enable the Nagios virtualhost sudo ln -s /etc/apache2/sites-available/nagios.conf /etc/apache2/sites-enable

Start Apache service apache2 restart

When Nagios starts, you may see the following error Starting nagios (via systemctl): nagios.serviceFaile System administrator can fix with the following


cd /etc/init.d/ cp /etc/init.d/skeleton /etc/init.d/nagios nano /etc/init.d/nagios

Paste this code at the end of the file

DESC="Nagios"
NAME=nagios
DAEMON=/usr/local/nagios/bin/$NAME
DAEMON_ARGS="-d /usr/local/nagios/etc/nagios.cfg"
PIDFILE=/usr/local/nagios/var/$NAME.lock

Make it executable and start Nagios

chmod +x /etc/init.d/nagios service apache2 restart

Still it there is another process to fix the issue

First we are going to create/change the nagios.service

nano /etc/systemd/system/nagios.service

Paste the following code of the file

[Unit]
Description=Nagios
BindTo=network.target

[Install]
WantedBy=multi-user.target

[Service]
User=nagios
Group=nagios
Type=simple
ExecStart=/usr/local/nagios/bin/nagios /usr/local/nagios/etc/nagios.cfg

System administrator need to enable created nagios.service config

systemctl enable /etc/systemd/system/nagios.service

service nagios start


To check the service is working $ service nagios status

  • Open web browser and YOURIPADDRESS/nagios
Nagios monitoring system
Nagios monitoring system

Enable the encryption Front-end Web

SSL support actually comes standard in the Ubuntu 16.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

sudo a2enmod ssl

Creating a subdirectory within Apache's configuration hierarchy to place the certificate files that we will be making

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Incorporated Company
Organizational Unit Name (eg, section) []:Head
Common Name (e.g. server FQDN or YOUR name) []: domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  • openssl: This is the basic command line tool provided by OpenSSL to create and manage certificates, keys, signing requests, etc.
  • req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment. Since we are wanting to create a new X.509 certificate, this is what we want.
  • -x509: This option specifies that we want to make a self-signed certificate file instead of generating a certificate request.
  • -nodes: This option tells OpenSSL that we do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
  • -days 365: This specifies that the certificate we are creating will be valid for one year.
  • -newkey rsa:2048: This option will create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
  • -keyout: This parameter names the output file for the private key file that is being created.
  • -out: This option names the output file for the certificate that we are generating.

Open the file with root privileges now: sudo nano /etc/apache2/sites-available/default-ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin admin@example.com
        ServerName your_domain.com
        ServerAlias www.your_domain.com
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
---->   SSLCertificateFile /etc/apache2/ssl/apache.crt
---->   SSLCertificateKeyFile /etc/apache2/ssl/apache.key
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>
</IfModule>


SSL-enabled virtual host sudo a2ensite default-ssl.conf

Restart Apache to load our new virtual host file service apache2 restart

Test the configuration by visiting the server's domain name or public IP address after specifying the https:// protocol, like this:

https://server_domain_name_or_IP

This to solve the problem to enable the ssl nano 000-default.conf

# Special virtulhost only for redirecting
<VirtualHost *:80>
        ServerName 
        Redirect "/" "https://Nagios-server/"
</VirtualHost>


Enable the encryption between the server and the agent

The connection need to be secure between the server and the agent, it's not easy and it's not hard to make it for the security.

  • Setup Directories:

cd /usr/local/nagios/etc/

mkdir ssl

chown root:nagios ssl

mkdir ca nagios_server_certs client_certs

chown root:nagios *

mkdir ./demoCA

mkdir ./demoCA/newcerts

cd ./demoCA

touch index.txt

echo '1000' Angle brackets serial

  • Create Certificate Authority

openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650

  • NRPE Client Certificate

cd /usr/local/nagios/etc/ssl/client_certs/ openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes

  • Sign this certificate request by our CA:

openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/

scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/

scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/

  • Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg

nano nrpe.cfg

  • In line 238 uncomment:

ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key

  • restart nrpe:

service nrpe restart

  • Don't forgot to uncomment the follow:

1- ssl_logging=0xff 2 ssl_client_certs=2

check_nrpe Plugin Certificate cd /usr/local/nagios/etc/ssl/nagios_server_certs/ openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes cd /usr/local/nagios/etc/ssl/ openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem

  • Using Certificates With check_nrpe Plugin

/usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress

Summary

Nagios is an open source application for monitoring a system. Nagios has been widely used because of the ease of configuration. Nagios in support by various plugins, and you can even create your own plugins. Look here for more information. Nagios-main-documentation.

See also

Nagios installation by Cyber-Tect-Tips

1- Nagios-Server-Installation Step one

2- Nagios-Agent configuration using NRPE plugin - Step two

3- Nagios-Agent send checks to Nagios-Server - Step three

4- Nagios-Agent using NRPE plugin with the Monitor Server side (Full configuration)

5- Customize Nagios (Agent - Server) adding new services check (Swap - SSH) Final step

6- NRPE - v3 Enhanced Security

7- NRPE - CHECK_NRPE: Error - Could Not Complete SSL Handshake

References

1- Nagios System monitoring

2- CIA

3- Nagios-Information

4- Cyber-Tech-Tips