[clue-tech] Nagios: check_by_ssh or check_nrpe
Jeff Falgout
jtfalgout at gmail.com
Tue Jul 1 22:24:28 MDT 2008
On Tue, Jul 1, 2008 at 2:41 PM, Nate Duehr <nate at natetech.com> wrote:
> Jeff Falgout wrote:
>
>> Wrapping everything under ssh usually gives me the heebie jeebies -
>> key management, user accounts, ssh is usually open to more hosts, etc.
>
> Why open to more hosts? That's dumb.
My host acl's and network acl's allow at least one subnet access to
ssh on every host, whereas the acl's allow only 2 hosts access to the
nrpe service. Every other place I've worked at, that's been the case
or else ssh has been open to the entire network. I don't consider that
dumb.
>
>> SSH access is too easy to screw up and the cost of that screw up
>> could be high.
>
> SSH easy to screw up? Huh? How exactly would someone unauthorized get into
> the path between the Nagios server and the things it's monitoring and
> utilize it? Why would people be logging into the Nagios server other than
> top-level admins who should just be fired if they're using the Nagios server
> as a way around authentication/security protocols?
Well, I've seen it happen with other generic accounts that, for what
ever reason, required a ssh private key with out a password. That
account eventually gets abused.
I want tight limits on what commands that nrpe user is running - I'd
most likely be putting that user in a jail if I had to use ssh access.
But since nrpe needs access to so many system commands, it's an
exercise in futility. Gimme xinted.
>
>> NRPE is easy to configure and makes it hard to do
>> something really stupid. I like the fact that nrpe listens on it's own
>> port, you can use tcp wrappers/xinetd/host firewalls for ACL's and
>> when you see that traffic on the network, you know what it is.
>
> You can do those things (other than see what it is) with SSH too.
Agreed
>
> Either way... I guess it doesn't matter. Without a security policy and
> monitoring with teeth... there's always a way around just about everything
> for senior sysadmins.
>
> And the senior folks aren't doing their jobs right if there's ways around
> security for the junior/less trusted folk.
It's not always about the senior guys doing their job right - politics
of the organization usually come into play and can trump the senior
admins best efforts. The security policy on paper usually differs from
the security policy in practice.
It's all about what is acceptable risk for you and your organization.
Jeff
More information about the clue-tech
mailing list