In this recipe, we'll learn how to make NRPE listen on a specific IP address on a target host. This might be done on hosts with multiple interfaces in order to prevent spurious requests made to the nrpe daemon from untrusted interfaces, perhaps the public Internet. It could also be appropriate for making the daemon only listen on a trusted VPN interface.
This setup can be particularly useful when the server has an interface into a dedicated management network to which the monitoring server also has access, preventing the nrpe daemon from responding to requests on other interfaces unnecessarily and thereby closing a possible security hole.
You should have a target host configured for checking in a Nagios Core 4.0 or later monitoring server. The target host should be running the nrpe daemon and listening on all interfaces (which we'll fix). You can verify that nrpe is running with pgrep(1) or ps(1):
# pgrep nrpe 29964 # ps -e | grep [n]rpe nagios 29964 1 0 21:55 ? 00:00:01 nrpe
You can check whether the nrpe daemon is listening on all interfaces by checking the output of netstat(8) or ss(8):
# netstat -plnt | grep nrpe tcp 0 0 0.0.0.0:5666 0.0.0.0:* LISTEN 29964/nrpe # ss -l | grep nrpe tcp LISTEN 0 5 *:nrpe *:* tcp LISTEN 0 5:::nrpe :::*
The address of 0.0.0.0 or :: shows that nrpe is listening on all interfaces, which is what we'd like to correct.
We can configure the nrpe daemon to only listen on one address as follows:
- Edit the
nrpedaemon's configuration file. The default location is/usr/local/nagios/etc/nrpe.cfg. Look for the line beginning withserver_address, which is normally commented out by default:#server_address=127.0.0.1If you don't have such a line, you can add it at the end of the file.
- Uncomment the line if it's commented by removing the leading
#character and change the127.0.0.1address to the address to which you want to restrict thenrpeprocess listening:server_address=192.0.2.61
- Restart the
nrpedaemon. If you have installed aninitscript for it, you may be able to do this with something like:# /etc/init.d/nrpe restartIf not, you can restart the process by sending it an
HUPsignal with thepkill(1)command, which will prompt it to re-read its configuration file and resume running:# pkill -HUP nrpe
With this done, the nrpe daemon should now only be listening on the specified address. We can verify this using netstat(8) or ss(8):
# netstat -plnt | grep nrpe tcp 0 0 192.0.2.61:5666 0.0.0.0:* LISTEN 29964/nrpe # ss -l | grep nrpe tcp LISTEN 0 5 192.0.2.61:nrpe *:*
The configuration we adjusted defines an address on which the nrpe daemon should listen and implies that it should not respond to requests on any others.
Because the nrpe server is explicitly designed to run commands at the request of remote servers, it's very important to take steps like this where appropriate to prevent attackers from exploiting the service.