Saturday, February 06, 2010

HOWTO: How to access the Nagios web interface securely over https (SSL)

If you followed my instructions on how to install Nagios with check_mk, PNP and NagVis, you'll already have a working monitoring solution by now. We'll continue where we left off and look at ways to secure our Nagios installation.

Our goal is to make the Nagios web interface available over the Internet - securely!

Nagios

We already have a nagiosadmin user account which requires a password to log in. You should make sure that the password is secure, and even then, change it regularly.

You can change the nagiosadmin password with this command:

sudo htpasswd /usr/local/nagios/etc/htpasswd.users nagiosadmin

However, since we're using Apache's Basic Authentication, username and password are sent as plaintext with every http request. Our login credentials could easily be intercepted.

We could switch over to Apache's Digest Authentication, which no longer transfers login data as plaintext, but it's less compatible as most Nagios addons expect Basic Authentication and a htpasswd.users file. Even if we worked around that problem, everything else would still be unencrypted, so an attacker could still sniff out a lot of potentially sensitive information.

That's why we're going to switch from http to https - then everything will be encrypted, including Apache's Basic Authentication!

How to set up Apache with SSL is usually a topic of its own and deserving of its own HOWTO. Since my tutorial is based on Ubuntu 8.04, I'll simply post the shortcuts required to properly get it up and running on a default installation.

First we install the prerequisite, OpenSSL:

sudo apt-get install openssl

Then we create a 1024 bit RSA key for our server:

sudo openssl genrsa -out /etc/ssl/private/server.key 1024

Make sure the private key is really private:

sudo chmod 640 /etc/ssl/private/server.key

Create an SSL certificate for our server. When it asks for a Common Name (eg, YOUR name), enter the server's hostname you use to access the Nagios web interface:

sudo openssl req -key /etc/ssl/private/server.key -new | sudo openssl x509 -out /etc/ssl/certs/server.crt -days 365 -signkey /etc/ssl/private/server.key -req

Enable Apache's SSL support:

sudo a2enmod ssl

Create an SSL-enabled website - here we make a copy of the default website with SSL support:

sed 's/\*/*:443/;/DocumentRoot/a\\tSSLEngine on\n\n\tSSLOptions +StrictRequire\n\n\tSSLCertificateFile /etc/ssl/certs/server.crt\n\tSSLCertificateKeyFile /etc/ssl/private/server.key' /etc/apache2/sites-available/default | sudo tee /etc/apache2/sites-available/ssl

Enable the SSL-enabled website:

sudo a2ensite ssl

Make the Nagios web interface require SSL:

sudo sed -i~SSLRequireSSL '/SSLRequireSSL/s/#/ /' /etc/apache2/conf.d/nagios.conf

Reload Apache to make the SSL-enabled website accessible:

sudo invoke-rc.d apache2 reload

Now you can (and have to) access Nagios with https instead of http!

For even more Nagios security, you could create a new Nagios user with a name only you know, and remove the default nagiosadmin from /usr/local/nagios/etc/htpasswd.users. Then replace all occurences of nagiosadmin in /usr/local/nagios/etc/cgi.cfg with your new user's name.

If you followed all of my original instructions, you'll also have various addons installed. Here's how to enable their SSL support:

check_mk

Make check_mk require SSL as well:

sudo sed -i~SSLRequireSSL 's/ErrorDocument/#&/;/<Directory/a\        SSLRequireSSL' /etc/apache2/conf.d/check_mk

PNP

Make PNP require SSL as well:

sudo sed -i~SSLRequireSSL '/<Directory/a\   \tSSLRequireSSL' /etc/apache2/conf.d/pnp4nagios.conf

NagVis

Since NagVis is installed in a subdirectory of Nagios, it already inherits its SSL requirements.

After making the above changes, reload Apache again to make sure all these addons really use SSL:

sudo invoke-rc.d apache2 reload

Finally our complete Nagios installation is SSL-secured. Now it's safe to open up the Nagios web interface https port (443) to the public Internet.

Please keep all other security considerations in mind - e. g. only open the https port, protect everything else with a secure firewall, etc. A monitoring server is a critical system that usually has access to every other system on a network and contains a lot of sensitive information about all of your systems - keep it safe and secure!