tag:blogger.com,1999:blog-8539880144347728238.post329341911224350548..comments2024-01-24T04:15:08.086-05:00Comments on Carnal0wnage Blog: Nagios and NPREUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-8539880144347728238.post-81437456833718331402014-06-19T18:57:14.944-04:002014-06-19T18:57:14.944-04:00I wrote some official
documentation for the testin...I wrote some official<br />documentation for the testing of this on Unix. I can tell you that everything in this article is dead on most of the checks that are by scripts, especially with NRPE are ripe for exploitation. <br /><br />I don't use this method of checking anymore, SSH is a lot more secure method of checking than NRPE.<br /><br />Also, for anyone reading this Nagios has a much more secure method called NRDS. All your checks are schedule via Cron and there is no connection to the client from the server its all one way from client server only. Also, no SSH keys need to be exchanged, the security is token based, not entirely sure how it works yet but currently researching it.Stahlnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-32616137317952465472014-05-26T15:56:38.484-04:002014-05-26T15:56:38.484-04:00Hi, I'm the author of https://www.cryptobells....Hi, I'm the author of https://www.cryptobells.com/zomg-remote-shell-exploit-or-not/. I wanted to clarify a point:<br /><br />"However, if people are using the daemon I've seen this set, otherwise I don't think anyone would be able to interact with it remotely, thus to use NRPE you have to enable it."<br />This isn't quite true, you can indeed run NRPE without sending check arguments or setting dont_blame_nrpe to 1. It just means that all command parameters have to be defined within the NRPE config file, and not sent dynamically in the remote request from the Nagios server.<br /><br />Enabling dont_blame_nrpe and defining checks that accept arbitrary remote params esentially go hand-in-hand- you can't have one without the other. It truly is a poorly designed monitoring architecture that would meet -all- of these criteria- unfortunately, there are several that I have found in real world examples that implementing monitoring in this style, and we were able to successfully leverage this as a proof-of-concept.<br /><br /><br />Thanks for checking my post! :DRoberthttps://www.cryptobells.com/noreply@blogger.com