Our goal is to make the Nagios web interface available over the Internet - securely!
Nagios
We already have a nagiosadmin user account which requires a password to log in. You should make sure that the password is secure, and even then, change it regularly.
You can change the nagiosadmin password with this command:
sudo htpasswd /usr/local/nagios/etc/htpasswd.users nagiosadmin
However, since we're using Apache's Basic Authentication, username and password are sent as plaintext with every http request. Our login credentials could easily be intercepted.
We could switch over to Apache's Digest Authentication, which no longer transfers login data as plaintext, but it's less compatible as most Nagios addons expect Basic Authentication and a htpasswd.users file. Even if we worked around that problem, everything else would still be unencrypted, so an attacker could still sniff out a lot of potentially sensitive information.
That's why we're going to switch from http to https - then everything will be encrypted, including Apache's Basic Authentication!
How to set up Apache with SSL is usually a topic of its own and deserving of its own HOWTO. Since my tutorial is based on Ubuntu 8.04, I'll simply post the shortcuts required to properly get it up and running on a default installation.
First we install the prerequisite, OpenSSL:
sudo apt-get install openssl
Then we create a 1024 bit RSA key for our server:
sudo openssl genrsa -out /etc/ssl/private/server.key 1024
Make sure the private key is really private:
sudo chmod 640 /etc/ssl/private/server.key
Create an SSL certificate for our server. When it asks for a Common Name (eg, YOUR name), enter the server's hostname you use to access the Nagios web interface:
sudo openssl req -key /etc/ssl/private/server.key -new | sudo openssl x509 -out /etc/ssl/certs/server.crt -days 365 -signkey /etc/ssl/private/server.key -req
Enable Apache's SSL support:
sudo a2enmod ssl
Create an SSL-enabled website - here we make a copy of the default website with SSL support:
sed 's/\*/*:443/;/DocumentRoot/a\\tSSLEngine on\n\n\tSSLOptions +StrictRequire\n\n\tSSLCertificateFile /etc/ssl/certs/server.crt\n\tSSLCertificateKeyFile /etc/ssl/private/server.key' /etc/apache2/sites-available/default | sudo tee /etc/apache2/sites-available/ssl
Enable the SSL-enabled website:
sudo a2ensite ssl
Make the Nagios web interface require SSL:
sudo sed -i~SSLRequireSSL '/SSLRequireSSL/s/#/ /' /etc/apache2/conf.d/nagios.conf
Reload Apache to make the SSL-enabled website accessible:
sudo invoke-rc.d apache2 reload
Now you can (and have to) access Nagios with https instead of http!
For even more Nagios security, you could create a new Nagios user with a name only you know, and remove the default nagiosadmin from /usr/local/nagios/etc/htpasswd.users. Then replace all occurences of nagiosadmin in /usr/local/nagios/etc/cgi.cfg with your new user's name.
If you followed all of my original instructions, you'll also have various addons installed. Here's how to enable their SSL support:
check_mk
Make check_mk require SSL as well:
sudo sed -i~SSLRequireSSL 's/ErrorDocument/#&/;/<Directory/a\ SSLRequireSSL' /etc/apache2/conf.d/check_mk
PNP
Make PNP require SSL as well:
sudo sed -i~SSLRequireSSL '/<Directory/a\ \tSSLRequireSSL' /etc/apache2/conf.d/pnp4nagios.conf
NagVis
Since NagVis is installed in a subdirectory of Nagios, it already inherits its SSL requirements.
After making the above changes, reload Apache again to make sure all these addons really use SSL:
sudo invoke-rc.d apache2 reload
Finally our complete Nagios installation is SSL-secured. Now it's safe to open up the Nagios web interface https port (443) to the public Internet.
Please keep all other security considerations in mind - e. g. only open the https port, protect everything else with a secure firewall, etc. A monitoring server is a critical system that usually has access to every other system on a network and contains a lot of sensitive information about all of your systems - keep it safe and secure!
TKS, very useful
ReplyDeleteStefan, thanks for taking the time to share your knowledge.
ReplyDelete