search

NagiosEnterprises / nrpe

NRPE Agent
GNU General Public License v2.0
263 stars 134 forks source link

check_nrpe : SSL with NSClient++ #220

Closed kopilim96 closed 4 years ago

kopilim96 commented 4 years ago

Hi all, I am using Centos v6 (as a monitor host) to monitor 100+ of Windows (as a remote host, or so called being monitored), in order to secure the communication between all the machine, is it a MUST to generate the cert and key one by one and implement them to each machine OR just generate a cert and a key that implement to all the windows machine.

PS: I followed the guide to generate the CA, cert, key from https://www.altaro.com/hyper-v/securely-monitor-hyper-v-nagios-nsclient/

sawolf commented 4 years ago

Going by that guide, the NSClient++ certificates should probably be generated one-by-one for maximum security. Whether you think the added security is worth the time you'll put in to configuring these (or creating automation that performs the task for you) is really down to your own judgement.

kopilim96 commented 4 years ago

Thanks for the reply while I have another question on my mind.

check_nt , check_nrpe , check_by_ssh

These 3 plugins which one is better in monitoring Windows machine (installed NSCP) and which one is better in security.

Your reply and explanation is appreciated. Thanksss.

ericloyd commented 4 years ago

check_nt is the least secure as it uses an older protocol.

check_nrpe is medium secure as it can be wrapped in SSL but requires that a shared token be used to authenticate the server to the client.

check_by_ssh relies on SSH keys being set up. SSH keys rely on system-level security and server fingerprint keys that are essentially impossible to intercept or duplicate. One could argue that this is the most "secure' of all of these. However, this may also be the most limiting agent, as it requires an SSH server running on the remote machine; something many non-Unix machines do not have (Windows, network devices, routers, etc).

You may want to consider the Nagios Cross Platform Agent (NCPA) as well, which is similar in security to NRPE but is, well, cross-platform independent and significantly easier to implement than NRPE.

kopilim96 commented 4 years ago

thanks for your info @ericloyd , appreciated it !

This issue can be close as I have got the answer. Thanks guys..