[clue-tech] Nagios: check_by_ssh or check_nrpe
Nate Duehr
nate at natetech.com
Tue Jul 1 14:41:18 MDT 2008
Jeff Falgout wrote:
> Wrapping everything under ssh usually gives me the heebie jeebies -
> key management, user accounts, ssh is usually open to more hosts, etc.
Why open to more hosts? That's dumb.
> SSH access is too easy to screw up and the cost of that screw up
> could be high.
SSH easy to screw up? Huh? How exactly would someone unauthorized get
into the path between the Nagios server and the things it's monitoring
and utilize it? Why would people be logging into the Nagios server
other than top-level admins who should just be fired if they're using
the Nagios server as a way around authentication/security protocols?
> NRPE is easy to configure and makes it hard to do
> something really stupid. I like the fact that nrpe listens on it's own
> port, you can use tcp wrappers/xinetd/host firewalls for ACL's and
> when you see that traffic on the network, you know what it is.
You can do those things (other than see what it is) with SSH too.
Either way... I guess it doesn't matter. Without a security policy and
monitoring with teeth... there's always a way around just about
everything for senior sysadmins.
And the senior folks aren't doing their jobs right if there's ways
around security for the junior/less trusted folk.
Nate
More information about the clue-tech
mailing list