See Also: Security Considerations, Configuration Overview
This is intended to be an introduction for implementation of stronger authentication and server security focused around the CGI web interface.
There are many ways to enhance the security of your monitoring server and Naemon environment. This should not be taken as the end all approach to security. Instead, think of it as an introduction to some of the techniques you can use to tighten the security of your system. As always, you should do your research and use the best techniques available. Treat your monitoring server as it were the most important server in your network and you shall be rewarded.
Stronger Authentication using Digest Authentication. If you have followed the
quickstart guides, chances are that you are using Apache’s
Basic Authentication.
Basic Authentication will send your username and password in “clear text” with every
http request. Consider using a more secure method of authentication such as
Digest Authentication
which creates a MD5 Hash of your username and password to send with each request.
Forcing TLS/SSL for all Web Communication. Apache provides
TLS/SSL through
the mod_ssl module.
TLS/SSL provides a secure tunnel between the client and server that prevents eavesdropping
and tampering using strong publickey/privatekey cryptography.
Locking Down Apache Using Access Controls. Consider locking down access to the Naemon box to your IP address, IP address range, or IP subnet. If you require access outside your network you could use VPN or SSH Tunnels. This is a easy and strong to limit access to HTTP/HTTPS on your system.
The implementation of Digest Authentication is simple. You will have to create the new type of password file using the ‘htdigest’ tool, then modify the Apache configuration for naemon (typically /etc/httpd/conf.d/thruk.conf).
Create a new passwords file using the ‘htdigest’ tool. The difference that you will notice if you are familiar with ‘htpasswd’ tools is the requirement to supply a ‘realm’ argument. Where ‘realm’ in this case refers to the value of the ‘AuthName’ directive in the Apache configuration.
htdigest -c /etc/naemon/.digest_pw "Naemon Access" naemonadmin
Next, edit the Apache configuration file for Naemon (typically /etc/httpd/conf.d/thruk.conf) using the following example.
## BEGIN APACHE CONFIG SNIPPET - NAEMON.CONF
<Location /naemon/>
Options ExecCGI FollowSymLinks
AuthName "Naemon Monitoring"
AuthType Digest
AuthDigestFile /etc/naemon/.digest_pw
Require valid-user
</Location>
## END APACHE CONFIG SNIPPETS
Then, restart the Apache service so the new settings can take effect.
/etc/init.d/httpd restart
Make sure you’ve installed Apache and OpenSSL. By default you should have mod_ssl support if you are still having trouble you may find help reading Apache’s TLS/SSL Encryption Documentation.
Next, verify that TLS/SSL support is working by visiting your Naemon Web Interface using HTTPS (https://your.domain/naemon). If it is working you can continue on to the next steps that will force using HTTPS and block all HTTP requests for the Naemon Web Interface. If you are having trouble visit Apache’s TLS/SSL Encryption Documentation and Google for troubleshooting your specific Apache installation.
Next, edit the Apache configuration file for Naemon (typically /etc/httpd/conf.d/thruk.conf) by adding the ‘SSLRequireSSL’ directive to both the ‘sbin’ and ‘share’ directories.
## BEGIN APACHE CONFIG SNIPPET - NAEMON.CONF
<Location /naemon/>
...
SSLRequireSSL
...
</Location>
## END APACHE CONFIG SNIPPETS
Restart the Apache service so the new settings can take effect.
/etc/init.d/httpd restart
The following example will show how to lock down Naemon CGIs to a specific IP address, IP address range, or IP subnet using Apache’s access controls.
Edit the Apache configuration file for Naemon (typically /etc/httpd/conf.d/thruk.conf) by using the ‘Allow’, ‘Deny’, and ‘Order’ directives using the following as an example.
## BEGIN APACHE CONFIG SNIPPET - NAEMON.CONF
<Location /naemon/>
...
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1 10.0.0.25 # Allow single IP addresses
Allow from 10.0.0.0/255.255.255.0 # Allow network/netmask pair
Allow from 10.0.0.0/24 # Allow network/nnn CIDR spec
...
</Location>
## END APACHE CONFIG SNIPPET