Loading...
「ツール」は右上に移動しました。
利用したサーバー: wtserver1
画像 Cyber - Tech - Tips
17いいね 2,001 views回再生

How to secure the connection between Nagios (Server - Agent) NRPE - v3 Enhanced Security 🔒

NRPE - v3 Enhanced Security
Read about the it
https://support.nagios.com/kb/article...

Setup Directories:
$ cd /usr/local/nagios/etcl
$ mkdir ssl
$ chown root:nagios ssl
$ mkdir ca nagios_server_certs client_certs
$ chown root:nagios *
$ mkdir ./demoCA
$ mkdir ./demoCA/newcerts
$ cd ./demoCA
$ touch index.txt
$ echo '1000' Angle brackets serial

Create Certificate Authority
$ openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650

NRPE Client Certificate
$ cd /usr/local/nagios/etc/ssl/client_certs/
$ openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes

Sign this certificate request by our CA:
$ openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem

Copy NRPE Client Certificates to the agent:

1- First you can make it with sftp://user@IP

Or you can copy it with secure copy

$ scp root@IP:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/
$ scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/

$ scp root@IP:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/

Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg
$ nano nrpe.cfg

In line 238 uncomment:

ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key

restart nrpe:
$ service nrpe restart

Don't forgot to uncomment the follow:
1- ssl_logging=0xff
2 ssl_client_certs=2

check_nrpe Plugin Certificate
$ cd /usr/local/nagios/etc/ssl/nagios_server_certs/
$ openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes
$ cd /usr/local/nagios/etc/ssl/
$ openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem

Using Certificates With check_nrpe Plugin

$ /usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H yourIPaddress

コメント