0

The question is which is more secure - as opposed to which is better from a configuration standpoint.

I have a number of Centos and Debian systems. The NRPE daemon is installed and working on all them, with nrpe.conf configured with allowed_hosts=127.0.0.1,<Nagios_monitoring_server_IP>. The client's NRPE default port only allows Nagios_monitoring_server_IP through iptables as well. All the checks from the Nagios monitoring server use check_nrpe.

Is the above the most secure, or is it better to use check_by_ssh with a key instead?

BurningKrome
  • 525
  • 2
  • 12
  • 22

1 Answers1

3

check_nrpe is not secure, unless you configure and use certificates, if not you are using "Anonymous Diffie-Hellman" see OpenSSL wiki for an explanation.

NRPE's security is based on IP whitelisting only, so not safe against MITM attacks as well...

check_by_ssh uses the same security as any SSH connection and is safe on a trust on first use logic (when the host key is added to known_hosts)

This is why Icinga 2's cluster protocol is built on TLS with certificates.

lazyfrosch
  • 790
  • 4
  • 10
  • Just for clarification - since an NRPE server only requests that the client system run a script that already exists on the client system and must be configured within the client's nrpe.conf, and then sends the output of that script back to the server - what kind of MitM attacks could be exploited? – BurningKrome Oct 09 '18 at 14:00
  • 2
    1) Sniffing data, 2) Injecting data when arguments are allowed and 3) Manipulating results – lazyfrosch Oct 10 '18 at 11:52