zarzax the blog

Enhanced Nagios; CGI Security and Authentication

by Mark on Nov.03, 2008, under Nagios, sysadmin

Over the past few days we have been tackling a nasty Cross Site Request Forgery (CSRF) bug in Nagios 3.0.4. With our bug fix I updated the Nagios documentation to include some information on Enhanced CGI Security and Authentication. This is a much needed addition that answers some of the communities questions regarding different ways to secure Nagios. This post will rehash much of what I wrote about in the documentation. There are many ways to enhance the security of your monitoring server and Nagios environment. This should not be taken as the end all approach to security. Instead, think of it as an introduction to some of the techniques you can use to tighten the security of your system. As always, you should do your research and use the best techniques available. Treat your monitoring server as it were the most important server in your network and you shall be rewarded.

My greatest recommendation for a secure Nagios installation would be a mixture of the techniques I am describing but also to not open the Nagios server outside your internal network. Additional Techniques

  • Stronger Authentication using Digest Authentication. If you have followed the quickstart guides, chances are that you are using Apache’s Basic Authentication. Basic Authentication will send your username and password in “clear text” with every http request. Consider using a more secure method of authentication such as Digest Authentication which creates a MD5 Hash of your username and password to send with each request.
  • Forcing TLS/SSL for all Web Communication. Apache provides TLS/SSL through the mod_ssl module. TLS/SSL provides a secure tunnel between the client and server that prevents eavesdropping and tampering using strong publickey/privatekey cryptography.
  • Locking Down Apache Using Access Controls. Consider locking down access to the Nagios box to your IP address, IP address range, or IP subnet. If you require access outside your network you could use VPN or SSH Tunnels. This is a easy and strong to limit access to HTTP/HTTPS on your system.

Implementing Digest Authentication
The implementation of Digest Authentication is simple. You will have to create the new type of password file using the ‘htdigest’ tool, then modify the Apache configuration for nagios (typically /etc/httpd/conf.d/nagios.conf).
Create a new passwords file using the ‘htdigest’ tool. The difference that you will notice if you are familiar with ‘htpasswd’ tools is the requirement to supply a ‘realm’ argument. Where ‘realm’ in this case refers to the value of the ‘AuthName’ directive in the Apache configuration.

htdigest -c /usr/local/nagios/etc/.digest_pw "Nagios Access" nagiosadmin

Next, edit the Apache configuration file for Nagios (typically /etc/httpd/conf.d/nagios.conf) using the following example.

## BEGIN APACHE CONFIG SNIPPET - NAGIOS.CONF
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

     Options ExecCGI
     AllowOverride None
     Order allow,deny
     Allow from all
     AuthType Digest
     AuthName "Nagios Access"
     AuthUserFile /usr/local/nagios/etc/.digest_pw
     Require valid-user


Alias /nagios "/usr/local/nagios/share"

     Options None
     AllowOverride None
     Order allow,deny
     Allow from all
     AuthType Digest
     AuthName "Nagios Access"
     AuthUserFile /usr/local/nagios/etc/.digest_pw
     Require valid-user

## END APACHE CONFIG SNIPPETS

Then, restart the Apache service so the new settings can take effect.

/etc/init.d/httpd restart

Implementing Forced TLS/SSL
Make sure you’ve installed Apache and OpenSSL. By default you should have mod_ssl support if you are still having trouble you may find help reading Apache’s TLS/SSL Encryption Documentation.

Next, verify that TLS/SSL support is working by visiting your Nagios Web Interface using HTTPS (https://your.domain/nagios). If it is working you can continue on to the next steps that will force using HTTPS and block all HTTP requests for the Nagios Web Interface. If you are having trouble visit Apache’s TLS/SSL Encryption Documentation and Google for troubleshooting your specific Apache installation.

Next, edit the Apache configuration file for Nagios (typically /etc/httpd/conf.d/nagios.conf) by adding the ‘SSLRequireSSL’ directive to both the ’sbin’ and ’share’ directories.

## BEGIN APACHE CONFIG SNIPPET - NAGIOS.CONF
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

     ...
     SSLRequireSSL
     ...


Alias /nagios "/usr/local/nagios/share"

     ...
     SSLRequireSSL
     ...

## END APACHE CONFIG SNIPPETS

Restart the Apache service so the new settings can take effect.

/etc/init.d/httpd restart

Implementing IP subnet lockdown
The following example will show how to lock down Nagios CGIs to a specific IP address, IP address range, or IP subnet using Apache’s access controls.
Edit the Apache configuration file for Nagios (typically /etc/httpd/conf.d/nagios.conf) by using the ‘Allow’, ‘Deny’, and ‘Order’ directives using the following as an example.

## BEGIN APACHE CONFIG SNIPPET - NAGIOS.CONF
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

     ...
     AllowOverride None
     Order deny,allow
     Deny from all
     Allow from 127.0.0.1 10.0.0.25		# Allow single IP addresses
     Allow from 10.0.0.0/255.255.255.0		# Allow network/netmask pair
     Allow from 10.0.0.0/24			# Allow network/nnn CIDR spec
     ...


Alias /nagios "/usr/local/nagios/share"

     ...
     AllowOverride None
     Order deny,allow
     Deny from all
     Allow from 127.0.0.1 10.0.0.25		# Allow single IP addresses
     Allow from 10.0.0.0/255.255.255.0		# Allow network/netmask pair
     Allow from 10.0.0.0/24			# Allow network/nnn CIDR spec
     ...

## END APACHE CONFIG SNIPPET

Important Notes

  • Digest Authentication sends data in the clear but not your username and password.
  • Digest Authentication is not as universally supported as Basic Authentication.
  • TLS/SSL has potential for “man-in-the-middle attacks. MITM attacks are vulnerable if an attacker is able to insert itself between the server and client such as in a Phishing attack, ISP monitoring, or corporate LAN firewall certificate resigning. So read up on certificate verification!
  • Apache access controls only protect the HTTP/HTTPS protocols. Look into IPtables for strong system wide firewall control.
  • Most importantly, Security is a moving target so stay informed and do research! Perhaps by listening to a Podcast such as “Security Now!“.
:, , ,

1 Comment for this entry

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...