Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server


Published on

Spenser Reinhardt's presentation on Securing Your Nagios Server.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit:

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server

  1. 1. Securing Your Nagios Server Spenser Reinhardt Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge. — Bruce Schneier
  2. 2. 2 Who am I? Nagios employee (2012) Active Def Con member and speaker OWASP Member CTF Creator Better be despised for too anxious apprehensions, than ruined by too confident security. — Edmund Burke
  3. 3. 3 Why Should You Care? Yearly number of attacks are only increasing Sophistication of attacks are ever increasing Whether you like it or not, chances are you will be a target Nagios servers, hold many privileged keys. Privacy is not for the passive. — Jeffrey Rosen
  4. 4. 4 Overview Apache Modifications Database Alterations Iptables Rules OS Lockdown Better be despised for too anxious apprehensions, than ruined by too confident security. — Edmund Burke
  5. 5. 5 Why you should consider this? Vital network information Notifies administrators and teams of issues Relatively low difficulty The Defenders Dilemma “An attacker need only find one way onto the network, a defender must close all holes.”
  6. 6. 6 Apache Modifications Overview Remove Apache and PHP version-ing Virtual host restrictions Forced SSL redirection Stronger SSL certificates and algorithms Mod_Security “Security through obscurity, is only secure until it is discovered”
  7. 7. 7 Removing Version Information Apache: /etc/httpd/conf/httpd.conf ServerTokens ProductOnly ServerSignature Off PHP: /etc/php.ini expose_php Off HTTP/1.1 302 Found Date: Sat, 21 Sep 2013 15:51:01 GMT Server: Apache Location: https:/// Connection: close Content-Type: text/html; charset=iso-8859-1 Security breaches usually entail more recovery efforts than acts of God. Unlike proverbial lightning, breaches of security can be counted on to strike twice unless the route of compromise has been shut off. — FedCIRC
  8. 8. 8 Restricting Apache Virtual Hosts /etc/http/conf.d/nagiosxi.conf (default) Order allow,deny Allow from all # Order deny,allow # Deny from all # Allow from /etc/http/conf.d/nagiosxi.conf (restricted) # Order allow,deny # Allow from all Order deny,allow Deny from all Allow from Order rules are opposite IP tables, last evaluated rule that matches connections applies Security is always excessive until it's not enough. — Robbie Sinclair, Head of Security, Country Energy, NSW Australia
  9. 9. 9 Force SSL Redirection /etc/httpd/conf.d/https.conf RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} Forces all pages loaded with http, to redirect to https. Pages can be requested insecurely still, but will be redirected immidiately There are risks and costs to a program of action--but they are far less than the long range cost of comfortable inaction. — John F. Kennedy
  10. 10. 10 Increasing SSL Security As openssl requires a password for aes256, we will need to generate a new key, give it a password, and then remove the password before we generate anything else: cd /etc/pki/tls/private openssl genrsa -aes256 -out ca.key.pass 2048 OR openssl genrsa -aes256 -out ca.key.pass 4096 Type in the password you used above when asked as the following command will strip the password: openssl rsa -in ca.key.pass -out ca.key openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt cp ca.crt ../certs/ One person's "paranoia" is another person's "engineering redundancy." — Marcus J. Ranum
  11. 11. 11 Increasing SSL Security (2) Modify the files in /etc/httpd/conf.d to add the following lines directly after the </directory> line. <VirtualHost *:443> SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite DHE-RSA-AES256-SHA:ALL:!ADH:!EXPORT:!SSLv2:!RC2:! CAMELLIA256:!3DES:!DES-CBC3-SHA:!RC4:+HIGH:!MEDIUM:!LOW SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key <Directory "/usr/local/nagiosxi/html"> AllowOverride All </Directory> </VirtualHost> Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders. — Ronald Reagan
  12. 12. 12 Mod_Security Install Mod_Security Packages yum install mod_security_crs-extras mod_security mod_security_crs Download and copy my exclusions rule list cd /tmp wget cp /tmp/mod_security_excluded_rules.conf /etc/httpd/conf.d/ Troubleshooting tail -f /var/log/httpd/error_log | grep -o "/etc/httpd/modsecurity.d/activated_rules/.{0,75}” /etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] SecRuleRemoveById [ID Number] The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein
  13. 13. 13 Database Alterations – Root User Root MYSQL Password mysqladmin -u root -pnagiosxi password NewPassword /root/scripts/automysqlbackup PASSWORD=NewPassword /usr/local/nagiosxi/scripts/ mysqlpass="NewPassword" /usr/local/nagiosxi/scripts/ mysqlpass="NewPassword" /usr/local/nagiosxi/var/xi-sys.cfg mysqlpass='NewPassword' Phishing is a major problem because there really is no patch for human stupidity — Mike Danseglio
  14. 14. 14 Database Alteration – Changing Passwords Changing a MySQL password, non-root users mysqladmin -u root -p use mysql; set password for 'ndoutils'@localhost = password('NewPassword'); flush privileges; quit; When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. — David Brin
  15. 15. 15 Database Alterations – NagiosQL User /usr/local/nagiosxi/html/ "pwd" => 'n@gweb', "password" => 'n@gweb', /usr/local/nagiosxi/html/ "pwd" => 'n@gweb', "password" => 'n@gweb', /usr/local/nagiosxi/html/ "pwd" => 'n@gweb', "password" => 'n@gweb', /usr/local/nagiosxi/etc/components/ "password" => "n@gweb", /usr/local/nagiosxi/html/includes/components/ccm/ 'password' => 'n@gweb', /usr/local/nagiosxi/html/includes/components/ccm/ $password = grab_array_var($cfg['db_info' ['nagiosql'],'pwd','n@gweb'); Men are only as good as their technical development allows them to be. — George Orwell
  16. 16. 16 Database Alterations – Ndoutils User /usr/local/nagios/etc/ndo2db.cfg db_pass=n@gweb /usr/local/nagiosxi/html/ "pwd" => 'n@gweb', /usr/local/nagiosxi/html/ "pwd" => 'n@gweb', /usr/local/nagiosxi/html/ "pwd" => 'n@gweb', /usr/local/nagvis/etc/nagvis.ini.php dbpass="n@gweb" Be careful and you will save many men from the sin of robbing you. — Ed Howe
  17. 17. 17 Database Alterations - Postgres psql -U nagiosxi ALTER USER nagiosxi WITH PASSWORD 'NewPassword'; /usr/local/nagiosxi/var/xi-sys.cfg pgsqlpass='nagiosxi' /usr/local/nagiosxi/scripts/ pg_dump -c -U nagiosxi nagiosxi > $mydir/pgsql/nagiosxi.sql /usr/local/nagiosxi/scripts/ psql -U nagiosxi nagiosxi < pgsql/nagiosxi.sql /usr/local/nagiosxi/html/ "pwd" => 'n@gweb', /usr/local/nagiosxi/html/ "pwd" => 'n@gweb', /usr/local/nagiosxi/html/ "pwd" => 'n@gweb', One of the tests of leadership is the ability to recognize a problem before it becomes an emergency. — Arnold Glascow
  18. 18. 18 Locking Down IPtables iptables -F iptables -X iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 22 -s -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 80 -s -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 443 -s -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 5667 -s -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 162 -s -j ACCEPT Iptables -A INPUT -m state --state NEW -p udp --dport 53 -s -j ACCEPT Iptables -A INPUT -m state --state ESTABLISHED -p tcp -s -j ACCEPT iptables -A OUTPUT -s -j ACCEPT Service iptables save It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders! — Robert Morris
  19. 19. 19 OS Hardening ASLR Exec Shield sshd configuration aide SeLinux GRSecurity Kernel Patches Like the death of a celebrity from a drug overdose, publicized data loss incidents remind us that we should probably do something about taking better care of our data. But we usually don't, because we quickly remind ourselves that backups are boring as h***, and that it's shark week on Discovery. — Nik Cubrilovic
  20. 20. 20 ASLR Exec Shield Address Space Layout Randomization kernel.randomize_va_space = 1 Exec Shield kernel.exec-shield = 1 Both can be enabled by modifying /ect/sysctl.conf and running sysctl -p or rebooting the system. A good programmer is someone who always looks both ways before crossing a one-way street. — Doug Linder
  21. 21. 21 SSHD Config /etc/ssh/sshd_conf Protocol 2 SyslogFacility AUTH LoginGraceTime 1m PermitRootLogin no MaxAuthTries 3 MaxSessions 5 MaxStartups 3 IgnoreRhosts yes PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes X11Forwarding no The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein
  22. 22. 22 Aide installation and configuration yum install aide curl e.conf.{selinux,non-se} -o /etc/aide.conf aide --init cp /var/lib/aide/ /var/lib/aide/aide.db.gz aide –check System updates, nagios updates, config changes, etc will cause aide warnings. AIDE, version 0.14 ### All files match AIDE database. Looks okay! The best way to get management excited about a disaster plan is to burn down the building across the street. — Dan Erwin, Security Officer, Dow Chemical Co
  23. 23. 23 SELinux Initially created and still greatly maintained by NSA Enforces Mandatory Access Control (MAC) Application and User Domain Restrictions Execution restrictions Port use restrictions Additional file permissions But not quite ready for Nagios XI In theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can't. — M. Dacier, Eurecom Institute
  24. 24. 24 GRSecurityPaX Kernel based security patches True ASLR and Stack protections Role-based Access Control (RBAC) Chroot advantages Breaks RHEL Warranty by kernel modification You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable. — Daryl White, DOI CIO
  25. 25. 25 Questions? - Thank You! History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did. — Bruce Schneier