[clue-tech] Nagios: check_by_ssh or check_nrpe
Jeff Falgout
jtfalgout at gmail.com
Tue Jul 1 09:39:51 MDT 2008
On Mon, Jun 30, 2008 at 11:25 AM, David L. Willson <DLWillson at thegeek.nu> wrote:
> On Mon, 30 Jun 2008 11:16:22 -0600, David L. Willson wrote
>> Anyone here have strong feelings about which is the better default? It begins
>> to seem to me like check_by_ssh is the better default, because of the much
>> greater difficulty in impersonating the monitoring host to the host running
>> the plugin.
>
> Let me be more direct: Is there any good reason to continue to use NRPE? (Assume no
> blatant mis-administration of ssh/sshd)
>
Wrapping everything under ssh usually gives me the heebie jeebies -
key management, user accounts, ssh is usually open to more hosts, etc.
SSH access is too easy to screw up and the cost of that screw up
could be high. NRPE is easy to configure and makes it hard to do
something really stupid. I like the fact that nrpe listens on it's own
port, you can use tcp wrappers/xinetd/host firewalls for ACL's and
when you see that traffic on the network, you know what it is. If you
have a bonehead firewall admin who will only allow ssh, then
check_by_ssh is your only choice.
My $2.00 (taking into account inflation)
Jeff
More information about the clue-tech
mailing list