No config option to turn off listener

[tannermsmith1]

Change notes indicate there's an option to turn off the listener on port 5693 in v3.0.0: "Added configuration option to allow only "Listener" or "Passive" functionality to be used (PhreditorNG)". Our service group prefers to only use the passive checks and not have an additional port open on the server hosts. I don't see the option available in the configuration reference to turn off the listener: https://www.nagios.org/ncpa/help.php#undefined

In the previous version, we disabled the ncpa_listener systemd unit and removed elements of [listener] from the main ncpa.cfg file.

[ne-bbahn]

It's not currently configurable in the configuration. It should have been and will be in the future, but right now it must be configured via modifying the launch conditions (the systemd service if using systemd) to use the parameters -l or -p for listener-only or passive-only respectively. I'll take a look at the documentation and see what needs to be updated when I get a chance.

Also, if you want to prevent traffic over port 5693, you can simply alter your firewall to disable traffic over that port. On some OSes (CentOS 9 comes to mind), installing NCPA doesn't actually open the port, so NCPA isn't actually able to be used unless a user opens that port in the firewall.

[tannermsmith1]

Thanks for clarifying! I'll modify it in the systemd unit across our hosts using Ansible and track that via our company's internal Wiki.

[thr03j0n4s]

It's not currently configurable in the configuration. It should have been and will be in the future, but right now it must be configured via modifying the launch conditions (the systemd service if using systemd) to use the parameters -l or -p for listener-only or passive-only respectively.

Is there a way to do this with the windows client as well?

EDIT: starting the ncpa.exe with -h I've noticed the options -p, --passive-only. Starting the .exe with said options I get the Info "option --passive-only not recognized" though.

[ne-bbahn]

@thr03j0n4s The Windows version works a little differently than on Linux/Mac. It might be possible to include an update in NCPA 3.1 that will allow for this functionality, but it currently doesn't support passive/listener only modes. It is currently planned for this to be configurable in the ncpa.cfg file, but as of right now it is not configurable at all on Windows.

[thr03j0n4s]

@thr03j0n4s The Windows version works a little differently than on Linux/Mac. It might be possible to include an update in NCPA 3.1 that will allow for this functionality, but it currently doesn't support passive/listener only modes. It is currently planned for this to be configurable in the ncpa.cfg file, but as of right now it is not configurable at all on Windows.

So if someone might stumble uppon this with the same question: Ive managed to simply integrate the option to manage this in the ncpa.cfg my self by simply by downloading the files from the repository, adding a "passive_only = false" at the end of the block [passive] (standard value in my case) in the ncpa.cfg. You'll find it under ncpa-master > agent > etc > ncpa.cfg.d. Then Ive added "if config.get('passive', 'passive_only') == 'false': above the if not options in line 973 of the ncpa.py. You'll find it under ncpa-master > agent. This might not be the prettiest code and maybe work even better at another place ... but it does its job sofar in my case. Then I've build myself a new installer with the build_windows.bat under ncpa-master > build. How you can do this is explained in the BUILDING.rst directly in the root directory.

EDIT: Ive just noticed that I was getting Error Eventlogs when restarting the NCPA Service because of the missing functions of the listener chlildprocess. Ive simply fixed that by adding a simple "if self.l != ''' ": and "if self.p != '' " before the sel.p.terminate() and self.p.join() (or the same with self.l) starting in line 850 of ncpa.py. After this no Errors occoured in the Eventlog.

EDIT 2: So it looks kinda like this: ncpa-master > agent > etc > ncpa.cfg.d > ncpa.cfg

[...]
[passive]
[...]

#Passive-Only-Mode. Default is false
passive_only = false

#Passive checks: see ncpa.cfg.d/example.cfg to see how to specify passive checks.
#Simply uncommenting the lines in that fiel will make those passive checks available.
#Default: none

[...]

ncpa-master > agent > ncpa.py

[...]
if __SYSTEM__ == 'nt':
    class WinService(win32serviceutil.ServiceFramework):
    [...]
    def main(self):
         [...]
         if self.p != '':
             self.p.terminate()
             self.p.join()
         if self.l != '':
              self.l.terminate()
              self.l.join()

[...]
def start_processes(options, config, has_error):
     [...]
     if not options.get('listener_only' or options.get('passive_only'):
          p = Process(target=Passive, args= [...] )
          p.deamon = True
          p.start()

     if config.get('passive', 'passive_only') == 'false':
          if not options.get('passive_only') or options.get('listener_only'):
               l = Process(target=Listener, args= [...] )
               l.deamon = True
               l.start()
[...]

Edit 3: To switch into passive onyl mode you simply change passive_only = true in ncpa.cfg (or anything else then = false). This deativates the whole listener, so active checks obviosly wont work anymore. So take this in consideration. We use this on almost all our 200 servers for some months know and dont have any issues but if anyone decides to use this they do this on their own responsibility. Im working in administration and am NOT a developer outside of some hobby stuff or little scripts, nor do I contribute in any way to the NCPA project. So I obviosly dont know everything about the code behind it. Just some quick solution. There definitly is some better way to do this.

@ne-bbahn feel free to review this and use parts of it for a better, safer, official solution to realize listener_only and/or passive_only modes in the future. Oh, and since you might recognize my username from Issue 1030 ... I obviosly tested whether or not the problem mentioned there is a result of my passive_only modification. Even without the phenomenon occurs. As mentioned above: Until now our systems had no problems with ncpa we could trace back to this modification.