Welcome to part 3 of Nagios & Ubuntu 9.04! Today I will be demonstrating step by step how to secure your Nagios server with SSL!

In part 2, I demonstrated the first step to securing Nagios and Apache using Digest Authentication.  By default, Nagios and Apache do not have sufficient security to safely launch in a production environment.  Specifically, it transmits all data traffic in clear text across the network.  Part 2 demonstrated how to at a bare minimum, encrypt the user’s login and password information that is transmitted each and every time you load a new page in Nagios.  However, the data on the pages are still sent in clear text, except for the credentials.

And thats where this guide comes in, for those of us who like all of the traffic to be encrypted.  Not just the user’s login and password.  This is simply achieved by crafting our own SSL certificate and requiring Nagios to use SSL at every turn.

Once again, I’d like to reiterate this makes Nagios and Apache much more secure.  But I always recommend to keep up on the latest security news simply because SSL isn’t 100% secure, But it certainly makes it much more difficult to crack!  Also, there can be a lot to consider when adding an SSL certificate.  However the scope of this guide is to show you how to simply generate your own certificate that is not intended for live production use.  However is great for internally used testing server’s.

If you do wish to gain a legit SSL cert, you have a wide variety of places to buy them.  A quick search on Google shows Register.com, Thawte.com, Geotrust.com, Trustico.com, ssl247.com, clickssl.com and many many more.  I’ve never purchased one before, so I cannot really tell you which might be better than the other.  You’ll just have to do your own research if you wish to go that route.

Luckily SSL is actually quite easy to implement on apache, it just takes a bit of know how.  This guide assumes you have gone through Part 1 and already have Nagios installed and running correctly.  This does not require Digest Authentication be configured.  So lets begin!

  1. Check to see if you have SSL enabled for Apache
    2. $ ls -lah /etc/apache2/mods-enabled/

    Expected Output

    drwxr-xr-x 2 root root 4.0K 2009-08-08 22:12 .
drwxr-xr-x 7 root root 4.0K 2009-08-08 22:12 ..
lrwxrwxrwx 1 root root   28 2009-08-08 22:12 alias.conf -> ../mods-available/alias.conf
lrwxrwxrwx 1 root root   28 2009-08-08 22:12 alias.load -> ../mods-available/alias.load
lrwxrwxrwx 1 root root   33 2009-08-08 22:12 auth_basic.load -> ../mods-available/auth_basic.load
lrwxrwxrwx 1 root root   33 2009-08-08 22:12 authn_file.load -> ../mods-available/authn_file.load
lrwxrwxrwx 1 root root   36 2009-08-08 22:12 authz_default.load -> ../mods-available/authz_default.load
lrwxrwxrwx 1 root root   38 2009-08-08 22:12 authz_groupfile.load -> ../mods-available/authz_groupfile.load
lrwxrwxrwx 1 root root   33 2009-08-08 22:12 authz_host.load -> ../mods-available/authz_host.load
lrwxrwxrwx 1 root root   33 2009-08-08 22:12 authz_user.load -> ../mods-available/authz_user.load
lrwxrwxrwx 1 root root   32 2009-08-08 22:12 autoindex.conf -> ../mods-available/autoindex.conf
lrwxrwxrwx 1 root root   32 2009-08-08 22:12 autoindex.load -> ../mods-available/autoindex.load
lrwxrwxrwx 1 root root   27 2009-08-08 22:12 cgid.conf -> ../mods-available/cgid.conf
lrwxrwxrwx 1 root root   27 2009-08-08 22:12 cgid.load -> ../mods-available/cgid.load
lrwxrwxrwx 1 root root   30 2009-08-08 22:12 deflate.conf -> ../mods-available/deflate.conf
lrwxrwxrwx 1 root root   30 2009-08-08 22:12 deflate.load -> ../mods-available/deflate.load
lrwxrwxrwx 1 root root   26 2009-08-08 22:12 dir.conf -> ../mods-available/dir.conf
lrwxrwxrwx 1 root root   26 2009-08-08 22:12 dir.load -> ../mods-available/dir.load
lrwxrwxrwx 1 root root   26 2009-08-08 22:12 env.load -> ../mods-available/env.load
lrwxrwxrwx 1 root root   27 2009-08-08 22:12 mime.conf -> ../mods-available/mime.conf
lrwxrwxrwx 1 root root   27 2009-08-08 22:12 mime.load -> ../mods-available/mime.load
lrwxrwxrwx 1 root root   34 2009-08-08 22:12 negotiation.conf -> ../mods-available/negotiation.conf
lrwxrwxrwx 1 root root   34 2009-08-08 22:12 negotiation.load -> ../mods-available/negotiation.load
lrwxrwxrwx 1 root root   31 2009-08-08 22:12 setenvif.conf -> ../mods-available/setenvif.conf
lrwxrwxrwx 1 root root   31 2009-08-08 22:12 setenvif.load -> ../mods-available/setenvif.load
lrwxrwxrwx 1 root root   29 2009-08-08 22:12 status.conf -> ../mods-available/status.conf
lrwxrwxrwx 1 root root   29 2009-08-08 22:12 status.load -> ../mods-available/status.load
  2. By default it is usually not enabled, So we’ll now install and enable SSL
    3. $ sudo a2enmod ssl

    Expected Output

    Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
  3. Just as it mentions, restart Apache to enable the new unconfigured ssl module.
    4. $ sudo /etc/init.d/apache2 restart
* Restarting web server apache2                                  [ OK ]
  4. Navigate to the Apache configuration directory
    5. $ cd /etc/apache2/
  5. Create the server.key file
    6. $ sudo openssl genrsa -des3 -out server.key 1024

    Expected Output

    Generating RSA private key, 1024 bit long modulus
..........++++++
.............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
  6. Enter any pass phrase you like.  Just be sure not to forget it! Next we create our certificate.  Fill out the prompts to the best of your knowledge.  They are very straight forward. (fyi – Common Name should be entered as your fully qualified domain name if you have one.  Otherwise you’ll have to add an exception to your browser later on, but is ok if you do not have one for a testing server.  If you do have a qualified domain, and the site to be secured is https://www.domain.com, you should enter www.domain.com for the common name. )
    7. $ sudo openssl req -new -key server.key -out server.csr

    Expected Output

    Enter pass phrase for server.key:
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]:
 State or Province Name (full name) [Some-State]:
 Locality Name (eg, city) []:
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:
 Organizational Unit Name (eg, section) []:
 Common Name (eg, YOUR name) []:
 Email Address []:
 
Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:
  7. After everything has been answered, we will create our self-signed certificate. When prompted enter the pass phrase you used earlier.
    8. $ sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

    Expected Output

    Signature ok
subject=/C=/ST=/L=LA/O=/emailAddress=
Getting Private key
Enter pass phrase for server.key:
  8. Install the certificate
    9. $ sudo cp server.crt /etc/ssl/certs/
  9. Install the key
    10. $ sudo cp server.key /etc/ssl/private/
  10. Navigate to the sites-available folder
    11. $ cd /etc/apache2/sites-available
  11. Open the default-ssl file so we can add the new key and certificate information
    12. $ sudo nano default-ssl
  12. As you can already see this file is pretty much complete, just not configured for SSL. By default SSLEngine should already be set to on.  SSLOptions should already be in there, but just needs to be uncommented. And the last two should just need to have their path’s modified to where we moved those files to.  Below is an example.
    13. SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
  13. The easiest way to find them is to search (Nano search is Ctrl+W).  I could give you the line numbers, but things can change over time and those line numbers are definitely not static.  After making your changes, Save and Exit (Ctrl+O to save, Ctrl+X to exit)  Now with our changes made, we must enable the default-ssl site.
    14. $ sudo a2ensite default-ssl

    Expected Output

    Enabling site default-ssl.
Run '/etc/init.d/apache2 reload' to activate new configuration!
  14. Reload Apache to enable our changes
    15. $ sudo /etc/init.d/apache2 reload
  15. That should complete the SSL configuration for Apache, now all we need to do is tell the Nagios Apache configuration to require SSL.  Navigate to the Apache conf.d directory.
    16. $ cd /etc/apache2/conf.d/
  16. Open nagios3.conf
    17. $ sudo nano nagios3.conf
  17. Add ‘SSLRequireSSL‘ inbetween <DirectoryMatch> and </DirectoryMatch> .  Below is an example.
    18. <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3)>
 Options FollowSymLinks
 DirectoryIndex index.html
 AllowOverride AuthConfig
 Order Allow,Deny
 Allow From All
 SSLRequireSSL
 AuthName "Nagios Access"
 AuthType Basic
 AuthUserFile /etc/nagios3/htpasswd.users
 # nagios 1.x:
 #AuthUserFile /etc/nagios/htpasswd.users
 require valid-user
</DirectoryMatch>
  18. Save and Exit out of nano, restart Apache
    19. $ sudo /etc/init.d/apache2 restart
  19. This time as Apache restarts, you will notice it will ask you for a pass phrase for your SSL cert.  Enter it when prompted to finish the restart.
    20. * Restarting web server apache2
Apache/2.2.11 mod_ssl/2.2.11 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
 
Server 127.0.1.1:443 (RSA)
Enter pass phrase:
 
OK: Pass Phrase Dialog successful.                         [ OK ]

That does it!  Lets test it out, point your browser to “http://YOURSERVERIP/nagios3/“.  You should receive a Forbidden message from Apache.  Perfect!  Notice we didn’t use https in the address.  So now go ahead and point your browser to “https://YOURSERVERIP/nagios3/” .  It should at this point complain about the server’s name not matching.  This is OK, you just need to add an exception to your browser.  This was demonstrated with a self made cert on a private server.

After adding the exception, it should prompt you for your login and password. Enter your credentials and you’re in!

a2pn4y96cu

Tags: