Spenser Reinhardt's presentation on Securing Your Nagios Server. The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna

1. Securing Your Nagios Server
Spenser Reinhardt
SReinhardt@nagios.com
Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare.
Information poses more of a problem. It can exist in more than one place; be
transported halfway across the planet in seconds; and be stolen without your
knowledge. — Bruce Schneier

2. 2
Who am I?
Nagios employee (2012)
Active Def Con member and speaker
OWASP Member
CTF Creator
Better be despised for too anxious apprehensions, than ruined by too confident security. — Edmund
Burke

3. 3
Why Should You Care?
Yearly number of attacks are only increasing
Sophistication of attacks are ever increasing
Whether you like it or not, chances are you will be a
target
Nagios servers, hold many privileged keys.
Privacy is not for the passive. — Jeffrey Rosen

4. 4
Overview
Apache Modifications
Database Alterations
Iptables Rules
OS Lockdown
Better be despised for too anxious apprehensions, than ruined by too confident security. — Edmund
Burke

5. 5
Why you should consider this?
Vital network information
Notifies administrators and teams of issues
Relatively low difficulty
The Defenders Dilemma
“An attacker need only find one way onto the network, a defender must close all holes.”

6. 6
Apache Modifications Overview
Remove Apache and PHP version-ing
Virtual host restrictions
Forced SSL redirection
Stronger SSL certificates and algorithms
Mod_Security
“Security through obscurity, is only secure until it is discovered”

7. 7
Removing Version Information
Apache: /etc/httpd/conf/httpd.conf
ServerTokens ProductOnly
ServerSignature Off
PHP: /etc/php.ini
expose_php Off
HTTP/1.1 302 Found
Date: Sat, 21 Sep 2013 15:51:01 GMT
Server: Apache
Location: https:///
Connection: close
Content-Type: text/html; charset=iso-8859-1
Security breaches usually entail more recovery efforts than acts of God. Unlike proverbial
lightning, breaches of security can be counted on to strike twice unless the route of compromise
has been shut off. — FedCIRC

8. 8
Restricting Apache Virtual Hosts
/etc/http/conf.d/nagiosxi.conf (default)
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
/etc/http/conf.d/nagiosxi.conf (restricted)
# Order allow,deny
# Allow from all
Order deny,allow
Deny from all
Allow from 127.0.0.1 192.168.168.0/24 10.1.2.0/255.255.255.0 nagios.com
Order rules are opposite IP tables, last evaluated rule
that matches connections applies
Security is always excessive until it's not enough. — Robbie Sinclair, Head of Security, Country
Energy, NSW Australia

9. 9
Force SSL Redirection
/etc/httpd/conf.d/https.conf
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Forces all pages loaded with http, to redirect to
https.
Pages can be requested insecurely still, but will be
redirected immidiately
There are risks and costs to a program of action--but they are far less than the long range cost of
comfortable inaction. — John F. Kennedy

10. 10
Increasing SSL Security
As openssl requires a password for aes256, we will need to
generate a new key, give it a password, and then remove the
password before we generate anything else:
cd /etc/pki/tls/private
openssl genrsa -aes256 -out ca.key.pass 2048
OR
openssl genrsa -aes256 -out ca.key.pass 4096
Type in the password you used above when asked as the
following command will strip the password:
openssl rsa -in ca.key.pass -out ca.key
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
cp ca.crt ../certs/
One person's "paranoia" is another person's "engineering redundancy." — Marcus J. Ranum

11. 11
Increasing SSL Security (2)
Modify the files in /etc/httpd/conf.d to add the following
lines directly after the </directory> line.
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite DHE-RSA-AES256-SHA:ALL:!ADH:!EXPORT:!SSLv2:!RC2:!
CAMELLIA256:!3DES:!DES-CBC3-SHA:!RC4:+HIGH:!MEDIUM:!LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory "/usr/local/nagiosxi/html">
AllowOverride All
</Directory>
</VirtualHost>
Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts
across the electrified borders. — Ronald Reagan

12. 12
Mod_Security
Install Mod_Security Packages
yum install mod_security_crs-extras mod_security mod_security_crs
Download and copy my exclusions rule list
cd /tmp
wget http://assets.nagios.com/downloads/nagiosxi/misc/mod_security_excluded_rules.conf
cp /tmp/mod_security_excluded_rules.conf /etc/httpd/conf.d/
Troubleshooting
tail -f /var/log/httpd/error_log | grep -o "/etc/httpd/modsecurity.d/activated_rules/.{0,75}”
/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id
"950901"]
SecRuleRemoveById [ID Number]
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we
come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein

13. 13
Database Alterations – Root User
Root MYSQL Password
mysqladmin -u root -pnagiosxi password NewPassword
/root/scripts/automysqlbackup
PASSWORD=NewPassword
/usr/local/nagiosxi/scripts/backup_xi.sh
mysqlpass="NewPassword"
/usr/local/nagiosxi/scripts/restore_xi.sh
mysqlpass="NewPassword"
/usr/local/nagiosxi/var/xi-sys.cfg
mysqlpass='NewPassword'
Phishing is a major problem because there really is no patch for human stupidity — Mike
Danseglio

14. 14
Database Alteration – Changing Passwords
Changing a MySQL password, non-root users
mysqladmin -u root -p
use mysql;
set password for 'ndoutils'@localhost =
password('NewPassword');
flush privileges;
quit;
When it comes to privacy and accountability, people always demand the former for themselves and
the latter for everyone else. — David Brin

15. 15
Database Alterations – NagiosQL User
/usr/local/nagiosxi/html/config.inc.php:
"pwd" => 'n@gweb',
"password" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.dist:
"pwd" => 'n@gweb',
"password" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.saved:
"pwd" => 'n@gweb',
"password" => 'n@gweb',
/usr/local/nagiosxi/etc/components/ccm_config.inc.php:
"password" => "n@gweb",
/usr/local/nagiosxi/html/includes/components/ccm/config.inc.php:
'password' => 'n@gweb',
/usr/local/nagiosxi/html/includes/components/ccm/ccm.inc.php:
$password = grab_array_var($cfg['db_info'
['nagiosql'],'pwd','n@gweb');
Men are only as good as their technical development allows them to be. — George Orwell

16. 16
Database Alterations – Ndoutils User
/usr/local/nagios/etc/ndo2db.cfg
db_pass=n@gweb
/usr/local/nagiosxi/html/config.inc.php:
"pwd" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.dist:
"pwd" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.saved:
"pwd" => 'n@gweb',
/usr/local/nagvis/etc/nagvis.ini.php
dbpass="n@gweb"
Be careful and you will save many men from the sin of robbing you. — Ed Howe

17. 17
Database Alterations - Postgres
psql -U nagiosxi
ALTER USER nagiosxi WITH PASSWORD
'NewPassword';
/usr/local/nagiosxi/var/xi-sys.cfg
pgsqlpass='nagiosxi'
/usr/local/nagiosxi/scripts/backup_xi.sh
pg_dump -c -U nagiosxi nagiosxi >
$mydir/pgsql/nagiosxi.sql
/usr/local/nagiosxi/scripts/restore_xi.sh
psql -U nagiosxi nagiosxi < pgsql/nagiosxi.sql
/usr/local/nagiosxi/html/config.inc.php:
"pwd" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.dist:
"pwd" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.saved:
"pwd" => 'n@gweb',
One of the tests of leadership is the ability to recognize a problem
before it becomes an emergency. — Arnold Glascow

18. 18
Locking Down IPtables
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 22 -s 192.168.1.25 -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 80 -s 192.168.1.25 -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 443 -s 192.168.1.45 -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 5667 -s 192.168.1.200 -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 162 -s 192.168.1.0/24. -j ACCEPT
Iptables -A INPUT -m state --state NEW -p udp --dport 53 -s 192.168.1.200 -j ACCEPT
Iptables -A INPUT -m state --state ESTABLISHED -p tcp -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT
Service iptables save
It's not good enough to have a system where everyone (using the system) must be trusted, it must also
be made robust against insiders! — Robert Morris

19. 19
OS Hardening
ASLR Exec Shield
sshd configuration
aide
SeLinux
GRSecurity Kernel Patches
Like the death of a celebrity from a drug overdose, publicized data loss incidents remind us that we
should probably do something about taking better care of our data. But we usually don't, because we
quickly remind ourselves that backups are boring as h***, and that it's shark week on Discovery.
— Nik Cubrilovic

20. 20
ASLR Exec Shield
Address Space Layout Randomization
kernel.randomize_va_space = 1
Exec Shield
kernel.exec-shield = 1
Both can be enabled by modifying
/ect/sysctl.conf and running sysctl -p or
rebooting the system.
A good programmer is someone who always looks both ways before crossing a one-way street. —
Doug Linder

21. 21
SSHD Config
/etc/ssh/sshd_conf
Protocol 2
SyslogFacility AUTH
LoginGraceTime 1m
PermitRootLogin no
MaxAuthTries 3
MaxSessions 5
MaxStartups 3
IgnoreRhosts yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding no
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we
come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein

22. 22
Aide installation and configuration
yum install aide
curl
http:assets.nagios.com/downloads/nagiosxi/xi_security/aid
e.conf.{selinux,non-se} -o /etc/aide.conf
aide --init
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
aide –check
System updates, nagios updates, config changes, etc will
cause aide warnings.
AIDE, version 0.14
### All files match AIDE database. Looks okay!
The best way to get management excited about a disaster plan is to burn down the building across the
street. — Dan Erwin, Security Officer, Dow Chemical Co

23. 23
SELinux
Initially created and still greatly maintained by NSA
Enforces Mandatory Access Control (MAC)
Application and User Domain Restrictions
Execution restrictions
Port use restrictions
Additional file permissions
But not quite ready for Nagios XI
In theory, one can build provably secure systems. In theory, theory can be applied to practice but in
practice, it can't. — M. Dacier, Eurecom Institute

24. 24
GRSecurityPaX
Kernel based security patches
True ASLR and Stack protections
Role-based Access Control (RBAC)
Chroot advantages
Breaks RHEL Warranty by kernel modification
You can't hold firewalls and intrusion detection systems accountable. You can only hold people
accountable. — Daryl White, DOI CIO

25. 25
Questions? - Thank You!
History has taught us: never underestimate the amount of money,
time, and effort someone will expend to thwart a security system. It's
always better to assume the worst. Assume your adversaries are better
than they are. Assume science and technology will soon be able to do
things they cannot yet. Give yourself a margin for error. Give
yourself more security than you need today. When the unexpected
happens, you'll be glad you did. — Bruce Schneier