In this recipe, we'll learn how to make NRPE listen on a specific IP address on a target host. This might be done on hosts with multiple interfaces in order to prevent spurious requests made to the nrpe
daemon from untrusted interfaces, perhaps the public Internet. It could also be appropriate for making the daemon only listen on a trusted VPN interface.
This setup can be particularly useful when the server has an interface into a dedicated management network to which the monitoring server also has access, preventing the nrpe
daemon from responding to requests on other interfaces unnecessarily and thereby closing a possible security hole.
You should have a target host configured for checking in a Nagios Core 4.0 or later monitoring server. The target host should be running the nrpe
daemon and listening on all interfaces (which we'll fix). You can verify that nrpe
is running with pgrep(1)
or ps(1)
:
# pgrep nrpe 29964 # ps -e | grep [n]rpe nagios 29964 1 0 21:55 ? 00:00:01 nrpe
You can check whether the nrpe
daemon is listening on all interfaces by checking the output of netstat(8)
or ss(8)
:
# netstat -plnt | grep nrpe tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN 29964/nrpe # ss -l | grep nrpe tcp LISTEN 0 5 *:nrpe *:* tcp LISTEN 0 5:::nrpe :::*
The address of 0.0.0.0
or ::
shows that nrpe
is listening on all interfaces, which is what we'd like to correct.
We can configure the nrpe
daemon to only listen on one address as follows:
nrpe
daemon's configuration file. The default location is /usr/local/nagios/etc/nrpe.cfg
. Look for the line beginning with server_address
, which is normally commented out by default:#server_address=127.0.0.1
If you don't have such a line, you can add it at the end of the file.
#
character and change the 127.0.0.1
address to the address to which you want to restrict the nrpe
process listening:server_address=192.0.2.61
nrpe
daemon. If you have installed an init
script for it, you may be able to do this with something like:# /etc/init.d/nrpe restart
If not, you can restart the process by sending it an HUP
signal with the pkill(1)
command, which will prompt it to re-read its configuration file and resume running:
# pkill -HUP nrpe
With this done, the nrpe
daemon should now only be listening on the specified address. We can verify this using netstat(8)
or ss(8)
:
# netstat -plnt | grep nrpe tcp 0 0 192.0.2.61:5666 0.0.0.0:* LISTEN 29964/nrpe # ss -l | grep nrpe tcp LISTEN 0 5 192.0.2.61:nrpe *:*
The configuration we adjusted defines an address on which the nrpe
daemon should listen and implies that it should not respond to requests on any others.
Because the nrpe
server is explicitly designed to run commands at the request of remote servers, it's very important to take steps like this where appropriate to prevent attackers from exploiting the service.
18.119.235.79