Securing Your Nagios Server

Spenser Reinhardt

SReinhardt@nagios.com

Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge. Bruce Schneier

Who am I?

Nagios employee (2012)

Active Def Con member and speaker

OWASP Member

CTF Creator

Better be despised for too anxious apprehensions, than ruined by too confident security. Edmund Burke

Why Should You Care?

Yearly number of attacks are only increasing

Sophistication of attacks are ever increasing

Whether you like it or not, chances are you will be a target

Nagios servers, hold many privileged keys.

Privacy is not for the passive. Jeffrey Rosen

Overview

Apache Modifications

Database Alterations

Iptables Rules

OS Lockdown

Better be despised for too anxious apprehensions, than ruined by too confident security. Edmund Burke

Why you should consider this?

Vital network information

Notifies administrators and teams of issues

Relatively low difficulty

The Defenders Dilemma

An attacker need only find one way onto the network, a defender must close all holes.

Apache Modifications Overview

Remove Apache and PHP version-ing

Virtual host restrictions

Forced SSL redirection

Stronger SSL certificates and algorithms

Mod_Security

Security through obscurity, is only secure until it is discovered

Removing Version Information

Apache: /etc/httpd/conf/httpd.confServerTokens ProductOnlyServerSignature Off

PHP: /etc/php.iniexpose_php Off

HTTP/1.1 302 FoundDate: Sat, 21 Sep 2013 15:51:01 GMTServer: ApacheLocation: https:///Connection: closeContent-Type: text/html; charset=iso-8859-1

Security breaches usually entail more recovery efforts than acts of God. Unlike proverbial lightning, breaches of security can be counted on to strike twice unless the route of compromise has been shut off. FedCIRC

Restricting Apache Virtual Hosts

/etc/http/conf.d/nagiosxi.conf (default) Order allow,deny Allow from all# Order deny,allow# Deny from all# Allow from 127.0.0.1

/etc/http/conf.d/nagiosxi.conf (restricted)# Order allow,deny# Allow from all Order deny,allow Deny from all Allow from 127.0.0.1 192.168.168.0/24 10.1.2.0/255.255.255.0 nagios.com

Order rules are opposite IP tables, last evaluated rule that matches connections applies

Security is always excessive until it's not enough. Robbie Sinclair, Head of Security, Country Energy, NSW Australia

Force SSL Redirection

/etc/httpd/conf.d/https.confRewriteEngine OnRewriteCond %{HTTPS} offRewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Forces all pages loaded with http, to redirect to https.

Pages can be requested insecurely still, but will be redirected immidiately

There are risks and costs to a program of action--but they are far less than the long range cost of comfortable inaction. John F. Kennedy

Increasing SSL Security

As openssl requires a password for aes256, we will need to generate a new key, give it a password, and then remove the password before we generate anything else:

cd /etc/pki/tls/privateopenssl genrsa -aes256 -out ca.key.pass 2048ORopenssl genrsa -aes256 -out ca.key.pass 4096

Type in the password you used above when asked as the following command will strip the password:

openssl rsa -in ca.key.pass -out ca.keyopenssl req -new -key ca.key -out ca.csropenssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crtcp ca.crt ../certs/

One person's "paranoia" is another person's "engineering redundancy." Marcus J. Ranum

Increasing SSL Security (2)

Modify the files in /etc/httpd/conf.d to add the following lines directly after the line.

SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite DHE-RSA-AES256-SHA:ALL:!ADH:!EXPORT:!SSLv2:!RC2:!CAMELLIA256:!3DES:!DES-CBC3-SHA:!RC4:+HIGH:!MEDIUM:!LOW SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key AllowOverride All

Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders. Ronald Reagan

Mod_Security

Install Mod_Security Packagesyum install mod_security_crs-extras mod_security mod_security_crs

Download and copy my exclusions rule list

cd /tmpwget http://assets.nagios.com/downloads/nagiosxi/misc/mod_security_excluded_rules.confcp /tmp/mod_security_excluded_rules.conf /etc/httpd/conf.d/

Troubleshootingtail -f /var/log/httpd/error_log | grep -o "/etc/httpd/modsecurity.d/activated_rules/.\{0,75\}/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"]SecRuleRemoveById [ID Number]

The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. Nathaniel Borenstein

Database Alterations Root User

Root MYSQL Passwordmysqladmin -u root -pnagiosxi password NewPassword

/root/scripts/automysqlbackup PASSWORD=NewPassword/usr/local/nagiosxi/scripts/backup_xi.sh mysqlpass="NewPassword"/usr/local/nagiosxi/scripts/restore_xi.sh mysqlpass="NewPassword"/usr/local/nagiosxi/var/xi-sys.cfg mysqlpass='NewPassword'

Phishing is a major problem because there really is no patch for human stupidity Mike Danseglio

Database Alteration Changing Passwords

Changing a MySQL password, non-root users

mysqladmin -u root -p use mysql; set password for 'ndoutils'@localhost = password('NewPassword'); flush privileges; quit;

When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. David Brin

Database Alterations NagiosQL User

/usr/local/nagiosxi/html/config.inc.php: "pwd" => 'n@gweb', "password" => 'n@gweb',

/usr/local/nagiosxi/html/config.inc.dist: "pwd" => 'n@gweb', "password" => 'n@gweb',

/usr/local/nagiosxi/html/config.inc.saved: "pwd" => 'n@gweb', "password" => 'n@gweb',

/usr/local/nagiosxi/etc/components/ccm_config.inc.php: "password" => "n@gweb",

/usr/local/nagiosxi/html/includes/components/ccm/config.inc.php: 'password' => 'n@gweb',

/usr/local/nagiosxi/html/includes/components/ccm/ccm.inc.php: $password = grab_array_var($cfg['db_info' ['nagiosql'],'pwd','n@gweb');

Men are only as good as their technical development allows them to be. George Orwell

Database Alterations Ndoutils User

/usr/local/nagios/etc/ndo2db.cfg db_pass=n@gweb

/usr/local/nagiosxi/html/config.inc.php: "pwd" => 'n@gweb',

/usr/local/nagiosxi/html/config.inc.dist: "pwd" => 'n@gweb',

/usr/local/nagiosxi/html/config.inc.saved: "pwd" => 'n@gweb',

/usr/local/nagvis/etc/nagvis.ini.php dbpass="n@gweb"

Be careful and you will save many men from the sin of robbing you. Ed Howe

Database Alterations - Postgres

psql -U nagiosxi

ALTER USER nagiosxi WITH PASSWORD 'NewPassword';

/usr/local/nagiosxi/var/xi-sys.cfgpgsqlpass='nagiosxi'/usr/local/nagiosxi/scripts/backup_xi.shpg_dump -c -U nagiosxi nagiosxi > $mydir/pgsql/nagiosxi.sql/usr/local/nagiosxi/scripts/restore_xi.shpsql -U nagiosxi nagiosxi < pgsql/nagiosxi.sql/usr/local/nagiosxi/html/config.inc.php: "pwd" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.dist: "pwd" => 'n@gweb',/usr/local/nagiosxi/html/config.inc.saved: "pwd" => 'n@gweb',

One of the tests of leadership is the ability to recognize a problem before it becomes an emergency. Arnold Glascow

Locking Down IPtables

iptables -Fiptables -Xiptables -P INPUT DROPiptables -P OUTPUT DROPiptables -P FORWARD DROPiptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 22 -s 192.168.1.25 -j ACCEPTiptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 80 -s 192.168.1.25 -j ACCEPTiptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 443 -s 192.168.1.45 -j ACCEPTiptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 5667 -s 192.168.1.200 -j ACCEPTiptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 162 -s 192.168.1.0/24. -j ACCEPTIptables -A INPUT -m state --state NEW -p udp --dport 53 -s 192.168.1.200 -j ACCEPTIptables -A INPUT -m state --state ESTABLISHED -p tcp -s 192.168.1.0/24 -j ACCEPTiptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT

Service iptables save

It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders! Robert Morris

OS Hardening

ASLR \ Exec Shield

sshd configuration

aide

SeLinux

GRSecurity Kernel Patches

Like the death of a celebrity from a drug overdose, publicized data loss incidents remind us that we should probably do something about taking better care of our data. But we usually don't, because we quickly remind ourselves that backups are boring as h***, and that it's shark week on Discovery. Nik Cubrilovic

ASLR \ Exec Shield

Address Space Layout Randomizationkernel.randomize_va_space = 1

Exec Shieldkernel.exec-shield = 1

Both can be enabled by modifying /ect/sysctl.conf and running sysctl -p or rebooting the system.

A good programmer is someone who always looks both ways before crossing a one-way street. Doug Linder

SSHD Config

/etc/ssh/sshd_conf

Protocol 2SyslogFacility AUTHLoginGraceTime 1mPermitRootLogin noMaxAuthTries 3MaxSessions 5MaxStartups 3IgnoreRhosts yesPasswordAuthentication yesChallengeResponseAuthentication noGSSAPIAuthentication yesGSSAPICleanupCredentials yesUsePAM yesX11Forwarding no

The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. Nathaniel Borenstein

Aide installation and configuration

yum install aide

curl http:\\assets.nagios.com/downloads/nagiosxi/xi_security/aide.conf.{selinux,non-se} -o /etc/aide.conf

aide --init

cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

aide check

System updates, nagios updates, config changes, etc will cause aide warnings.

AIDE, version 0.14

### All files match AIDE database. Looks okay!

The best way to get management excited about a disaster plan is to burn down the building across the street. Dan Erwin, Security Officer, Dow Chemical Co

SELinux

Initially created and still greatly maintained by NSA

Enforces Mandatory Access Control (MAC)

Application and User Domain RestrictionsExecution restrictions

Port use restrictions

Additional file permissions

But not quite ready for Nagios XI

In theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can't. M. Dacier, Eurecom Institute

GRSecurity\PaX

Kernel based security patches

True ASLR and Stack protections

Role-based Access Control (RBAC)

Chroot advantages

Breaks RHEL Warranty by kernel modification

You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable. Daryl White, DOI CIO

Questions? - Thank You!

History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did. Bruce Schneier

Click to edit the outline text format

Second Outline Level

Third Outline Level

Fourth Outline Level

Fifth Outline Level

Sixth Outline Level

Seventh Outline Level

Eighth Outline Level

Ninth Outline Level

Click to edit the title text format

Click to edit the title text format

Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level