SlideShare a Scribd company logo

Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server

Download as ODP, PDF
Nagios
Nagios

Spenser Reinhardt's presentation on Securing Your Nagios Server. The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna

Devices & HardwareTechnology
1 of 25
Securing Your Nagios Server Spenser Reinhardt SReinhardt@nagios.com Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge. — Bruce Schneier
2 Who am I? Nagios employee (2012) Active Def Con member and speaker OWASP Member CTF Creator Better be despised for too anxious apprehensions, than ruined by too confident security. — Edmund Burke
3 Why Should You Care? Yearly number of attacks are only increasing Sophistication of attacks are ever increasing Whether you like it or not, chances are you will be a target Nagios servers, hold many privileged keys. Privacy is not for the passive. — Jeffrey Rosen
4 Overview Apache Modifications Database Alterations Iptables Rules OS Lockdown Better be despised for too anxious apprehensions, than ruined by too confident security. — Edmund Burke
5 Why you should consider this? Vital network information Notifies administrators and teams of issues Relatively low difficulty The Defenders Dilemma “An attacker need only find one way onto the network, a defender must close all holes.”
6 Apache Modifications Overview Remove Apache and PHP version-ing Virtual host restrictions Forced SSL redirection Stronger SSL certificates and algorithms Mod_Security “Security through obscurity, is only secure until it is discovered”
7 Removing Version Information Apache: /etc/httpd/conf/httpd.conf ServerTokens ProductOnly ServerSignature Off PHP: /etc/php.ini expose_php Off HTTP/1.1 302 Found Date: Sat, 21 Sep 2013 15:51:01 GMT Server: Apache Location: https:/// Connection: close Content-Type: text/html; charset=iso-8859-1 Security breaches usually entail more recovery efforts than acts of God. Unlike proverbial lightning, breaches of security can be counted on to strike twice unless the route of compromise has been shut off. — FedCIRC
8 Restricting Apache Virtual Hosts /etc/http/conf.d/nagiosxi.conf (default) Order allow,deny Allow from all # Order deny,allow # Deny from all # Allow from 127.0.0.1 /etc/http/conf.d/nagiosxi.conf (restricted) # Order allow,deny # Allow from all Order deny,allow Deny from all Allow from 127.0.0.1 192.168.168.0/24 10.1.2.0/255.255.255.0 nagios.com Order rules are opposite IP tables, last evaluated rule that matches connections applies Security is always excessive until it's not enough. — Robbie Sinclair, Head of Security, Country Energy, NSW Australia
9 Force SSL Redirection /etc/httpd/conf.d/https.conf RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} Forces all pages loaded with http, to redirect to https. Pages can be requested insecurely still, but will be redirected immidiately There are risks and costs to a program of action--but they are far less than the long range cost of comfortable inaction. — John F. Kennedy
10 Increasing SSL Security As openssl requires a password for aes256, we will need to generate a new key, give it a password, and then remove the password before we generate anything else: cd /etc/pki/tls/private openssl genrsa -aes256 -out ca.key.pass 2048 OR openssl genrsa -aes256 -out ca.key.pass 4096 Type in the password you used above when asked as the following command will strip the password: openssl rsa -in ca.key.pass -out ca.key openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt cp ca.crt ../certs/ One person's "paranoia" is another person's "engineering redundancy." — Marcus J. Ranum
11 Increasing SSL Security (2) Modify the files in /etc/httpd/conf.d to add the following lines directly after the </directory> line. <VirtualHost *:443> SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite DHE-RSA-AES256-SHA:ALL:!ADH:!EXPORT:!SSLv2:!RC2:! CAMELLIA256:!3DES:!DES-CBC3-SHA:!RC4:+HIGH:!MEDIUM:!LOW SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key <Directory "/usr/local/nagiosxi/html"> AllowOverride All </Directory> </VirtualHost> Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders. — Ronald Reagan
12 Mod_Security Install Mod_Security Packages yum install mod_security_crs-extras mod_security mod_security_crs Download and copy my exclusions rule list cd /tmp wget http://assets.nagios.com/downloads/nagiosxi/misc/mod_security_excluded_rules.conf cp /tmp/mod_security_excluded_rules.conf /etc/httpd/conf.d/ Troubleshooting tail -f /var/log/httpd/error_log | grep -o "/etc/httpd/modsecurity.d/activated_rules/.{0,75}” /etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] SecRuleRemoveById [ID Number] The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein
13 Database Alterations – Root User Root MYSQL Password mysqladmin -u root -pnagiosxi password NewPassword /root/scripts/automysqlbackup PASSWORD=NewPassword /usr/local/nagiosxi/scripts/backup_xi.sh mysqlpass="NewPassword" /usr/local/nagiosxi/scripts/restore_xi.sh mysqlpass="NewPassword" /usr/local/nagiosxi/var/xi-sys.cfg mysqlpass='NewPassword' Phishing is a major problem because there really is no patch for human stupidity — Mike Danseglio
14 Database Alteration – Changing Passwords Changing a MySQL password, non-root users mysqladmin -u root -p use mysql; set password for 'ndoutils'@localhost = password('NewPassword'); flush privileges; quit; When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. — David Brin
15 Database Alterations – NagiosQL User /usr/local/nagiosxi/html/config.inc.php: "pwd" => 'n@gweb', "password" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.dist: "pwd" => 'n@gweb', "password" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.saved: "pwd" => 'n@gweb', "password" => 'n@gweb', /usr/local/nagiosxi/etc/components/ccm_config.inc.php: "password" => "n@gweb", /usr/local/nagiosxi/html/includes/components/ccm/config.inc.php: 'password' => 'n@gweb', /usr/local/nagiosxi/html/includes/components/ccm/ccm.inc.php: $password = grab_array_var($cfg['db_info' ['nagiosql'],'pwd','n@gweb'); Men are only as good as their technical development allows them to be. — George Orwell
16 Database Alterations – Ndoutils User /usr/local/nagios/etc/ndo2db.cfg db_pass=n@gweb /usr/local/nagiosxi/html/config.inc.php: "pwd" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.dist: "pwd" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.saved: "pwd" => 'n@gweb', /usr/local/nagvis/etc/nagvis.ini.php dbpass="n@gweb" Be careful and you will save many men from the sin of robbing you. — Ed Howe
17 Database Alterations - Postgres psql -U nagiosxi ALTER USER nagiosxi WITH PASSWORD 'NewPassword'; /usr/local/nagiosxi/var/xi-sys.cfg pgsqlpass='nagiosxi' /usr/local/nagiosxi/scripts/backup_xi.sh pg_dump -c -U nagiosxi nagiosxi > $mydir/pgsql/nagiosxi.sql /usr/local/nagiosxi/scripts/restore_xi.sh psql -U nagiosxi nagiosxi < pgsql/nagiosxi.sql /usr/local/nagiosxi/html/config.inc.php: "pwd" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.dist: "pwd" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.saved: "pwd" => 'n@gweb', One of the tests of leadership is the ability to recognize a problem before it becomes an emergency. — Arnold Glascow
18 Locking Down IPtables iptables -F iptables -X iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 22 -s 192.168.1.25 -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 80 -s 192.168.1.25 -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 443 -s 192.168.1.45 -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 5667 -s 192.168.1.200 -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 162 -s 192.168.1.0/24. -j ACCEPT Iptables -A INPUT -m state --state NEW -p udp --dport 53 -s 192.168.1.200 -j ACCEPT Iptables -A INPUT -m state --state ESTABLISHED -p tcp -s 192.168.1.0/24 -j ACCEPT iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT Service iptables save It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders! — Robert Morris
19 OS Hardening ASLR Exec Shield sshd configuration aide SeLinux GRSecurity Kernel Patches Like the death of a celebrity from a drug overdose, publicized data loss incidents remind us that we should probably do something about taking better care of our data. But we usually don't, because we quickly remind ourselves that backups are boring as h***, and that it's shark week on Discovery. — Nik Cubrilovic
20 ASLR Exec Shield Address Space Layout Randomization kernel.randomize_va_space = 1 Exec Shield kernel.exec-shield = 1 Both can be enabled by modifying /ect/sysctl.conf and running sysctl -p or rebooting the system. A good programmer is someone who always looks both ways before crossing a one-way street. — Doug Linder
21 SSHD Config /etc/ssh/sshd_conf Protocol 2 SyslogFacility AUTH LoginGraceTime 1m PermitRootLogin no MaxAuthTries 3 MaxSessions 5 MaxStartups 3 IgnoreRhosts yes PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes X11Forwarding no The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein
22 Aide installation and configuration yum install aide curl http:assets.nagios.com/downloads/nagiosxi/xi_security/aid e.conf.{selinux,non-se} -o /etc/aide.conf aide --init cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz aide –check System updates, nagios updates, config changes, etc will cause aide warnings. AIDE, version 0.14 ### All files match AIDE database. Looks okay! The best way to get management excited about a disaster plan is to burn down the building across the street. — Dan Erwin, Security Officer, Dow Chemical Co
23 SELinux Initially created and still greatly maintained by NSA Enforces Mandatory Access Control (MAC) Application and User Domain Restrictions Execution restrictions Port use restrictions Additional file permissions But not quite ready for Nagios XI In theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can't. — M. Dacier, Eurecom Institute
24 GRSecurityPaX Kernel based security patches True ASLR and Stack protections Role-based Access Control (RBAC) Chroot advantages Breaks RHEL Warranty by kernel modification You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable. — Daryl White, DOI CIO
25 Questions? - Thank You! History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did. — Bruce Schneier

Recommended

PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
MyOwn Telco
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
Openssl
OpensslOpenssl
Openssl
Adam Moravcik
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
BGA Cyber Security
 
Asterisk security with kingasterisk
Asterisk security with kingasteriskAsterisk security with kingasterisk
Asterisk security with kingasterisk
King Asterisk
 
CHECK POINT 5100 NEXT GENERATION SECURITY GATEWAY FOR THE SMALL ENTERPRISE AN...
CHECK POINT 5100 NEXT GENERATION SECURITY GATEWAY FOR THE SMALL ENTERPRISE AN...CHECK POINT 5100 NEXT GENERATION SECURITY GATEWAY FOR THE SMALL ENTERPRISE AN...
CHECK POINT 5100 NEXT GENERATION SECURITY GATEWAY FOR THE SMALL ENTERPRISE AN...
Alexander Kravchenko
 

Recommended

PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
MyOwn Telco
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
Openssl
OpensslOpenssl
Openssl
Adam Moravcik
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
IstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShockIstSec'14 - Onur ALANBEL - ShellShock
IstSec'14 - Onur ALANBEL - ShellShock
BGA Cyber Security
 
Asterisk security with kingasterisk
Asterisk security with kingasteriskAsterisk security with kingasterisk
Asterisk security with kingasterisk
King Asterisk
 
CHECK POINT 5100 NEXT GENERATION SECURITY GATEWAY FOR THE SMALL ENTERPRISE AN...
CHECK POINT 5100 NEXT GENERATION SECURITY GATEWAY FOR THE SMALL ENTERPRISE AN...CHECK POINT 5100 NEXT GENERATION SECURITY GATEWAY FOR THE SMALL ENTERPRISE AN...
CHECK POINT 5100 NEXT GENERATION SECURITY GATEWAY FOR THE SMALL ENTERPRISE AN...
Alexander Kravchenko
 
CHECK POINT 5900 NEXT GENERATION SECURITY GATEWAY FOR THE MID-SIZE ENTERPRISE
CHECK POINT 5900 NEXT GENERATION SECURITY GATEWAY FOR THE MID-SIZE ENTERPRISECHECK POINT 5900 NEXT GENERATION SECURITY GATEWAY FOR THE MID-SIZE ENTERPRISE
CHECK POINT 5900 NEXT GENERATION SECURITY GATEWAY FOR THE MID-SIZE ENTERPRISE
Alexander Kravchenko
 
Pxosys Webinar Amplify your Security
Pxosys Webinar Amplify your SecurityPxosys Webinar Amplify your Security
Pxosys Webinar Amplify your Security
🏆Ruben Cocheno💭
 
CHECK POINT 3100 NEXT GENERATION SECURITY GATEWAY FOR THE BRANCH AND SMALL OF...
CHECK POINT 3100 NEXT GENERATION SECURITY GATEWAY FOR THE BRANCH AND SMALL OF...CHECK POINT 3100 NEXT GENERATION SECURITY GATEWAY FOR THE BRANCH AND SMALL OF...
CHECK POINT 3100 NEXT GENERATION SECURITY GATEWAY FOR THE BRANCH AND SMALL OF...
Alexander Kravchenko
 
The &lt;$100 Cyber Sensor, You Can Build It!
The &lt;$100 Cyber Sensor, You Can Build It!The &lt;$100 Cyber Sensor, You Can Build It!
The &lt;$100 Cyber Sensor, You Can Build It!
Ludwig Goon
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
APNIC
 
RIPE 70 Report Webinar
RIPE 70 Report WebinarRIPE 70 Report Webinar
RIPE 70 Report Webinar
Men and Mice
 
Особенности фоновой работы iOS-приложения на примере синхронизации Яндекс.Ди...
Особенности фоновой работы iOS-приложения на примере синхронизации Яндекс.Ди... Особенности фоновой работы iOS-приложения на примере синхронизации Яндекс.Ди...
Особенности фоновой работы iOS-приложения на примере синхронизации Яндекс.Ди...
Yandex
 
Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security Plugin
Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security PluginMonitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security Plugin
Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security Plugin
Alessandro Silva
 
NexusでAnsibleやってみた
NexusでAnsibleやってみたNexusでAnsibleやってみた
NexusでAnsibleやってみた
Takehiro Yokoishi
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
Dhruv Sharma
 
Vmug 2017 Guido Frabotti
Vmug 2017 Guido FrabottiVmug 2017 Guido Frabotti
Vmug 2017 Guido Frabotti
VMUG IT
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
NotSoSecure Global Services
 
Open network architecture e book
Open network architecture e bookOpen network architecture e book
Open network architecture e book
COMSATS
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
Dan Kaminsky
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
Frank Victory
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
xsist10
 
thwackCamp 2013: Building a Large-Scale SolarWinds Installation
thwackCamp 2013: Building a Large-Scale SolarWinds InstallationthwackCamp 2013: Building a Large-Scale SolarWinds Installation
thwackCamp 2013: Building a Large-Scale SolarWinds Installation
SolarWinds
 
OpenStack Day 2 Operations
OpenStack Day 2 OperationsOpenStack Day 2 Operations
OpenStack Day 2 Operations
Dirk Wallerstorfer
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
Hanaysha
 

More Related Content

What's hot

Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security Plugin
Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security PluginMonitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security Plugin
Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security Plugin
Alessandro Silva
 
Open network architecture e book
Open network architecture e bookOpen network architecture e book
Open network architecture e book
COMSATS
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
Dan Kaminsky
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 

What's hot (19)

CHECK POINT 5900 NEXT GENERATION SECURITY GATEWAY FOR THE MID-SIZE ENTERPRISE
CHECK POINT 5900 NEXT GENERATION SECURITY GATEWAY FOR THE MID-SIZE ENTERPRISECHECK POINT 5900 NEXT GENERATION SECURITY GATEWAY FOR THE MID-SIZE ENTERPRISE
CHECK POINT 5900 NEXT GENERATION SECURITY GATEWAY FOR THE MID-SIZE ENTERPRISE
 
Pxosys Webinar Amplify your Security
Pxosys Webinar Amplify your SecurityPxosys Webinar Amplify your Security
Pxosys Webinar Amplify your Security
 
CHECK POINT 3100 NEXT GENERATION SECURITY GATEWAY FOR THE BRANCH AND SMALL OF...
CHECK POINT 3100 NEXT GENERATION SECURITY GATEWAY FOR THE BRANCH AND SMALL OF...CHECK POINT 3100 NEXT GENERATION SECURITY GATEWAY FOR THE BRANCH AND SMALL OF...
CHECK POINT 3100 NEXT GENERATION SECURITY GATEWAY FOR THE BRANCH AND SMALL OF...
 
The &lt;$100 Cyber Sensor, You Can Build It!
The &lt;$100 Cyber Sensor, You Can Build It!The &lt;$100 Cyber Sensor, You Can Build It!
The &lt;$100 Cyber Sensor, You Can Build It!
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
 
RIPE 70 Report Webinar
RIPE 70 Report WebinarRIPE 70 Report Webinar
RIPE 70 Report Webinar
 
Особенности фоновой работы iOS-приложения на примере синхронизации Яндекс.Ди...
Особенности фоновой работы iOS-приложения на примере синхронизации Яндекс.Ди... Особенности фоновой работы iOS-приложения на примере синхронизации Яндекс.Ди...
Особенности фоновой работы iOS-приложения на примере синхронизации Яндекс.Ди...
 
Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security Plugin
Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security PluginMonitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security Plugin
Monitoramento de Vulnerabilidades com Zabbix, RHEL e Yum Security Plugin
 
NexusでAnsibleやってみた
NexusでAnsibleやってみたNexusでAnsibleやってみた
NexusでAnsibleやってみた
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
Vmug 2017 Guido Frabotti
Vmug 2017 Guido FrabottiVmug 2017 Guido Frabotti
Vmug 2017 Guido Frabotti
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
Open network architecture e book
Open network architecture e bookOpen network architecture e book
Open network architecture e book
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
 
thwackCamp 2013: Building a Large-Scale SolarWinds Installation
thwackCamp 2013: Building a Large-Scale SolarWinds InstallationthwackCamp 2013: Building a Large-Scale SolarWinds Installation
thwackCamp 2013: Building a Large-Scale SolarWinds Installation
 
OpenStack Day 2 Operations
OpenStack Day 2 OperationsOpenStack Day 2 Operations
OpenStack Day 2 Operations
 

Similar to Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server

Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
Hanaysha
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
MongoDB
 
Webinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and moreWebinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and more
panagenda
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco router
IT Tech
 
Squid proxy server
Squid proxy serverSquid proxy server
Squid proxy server
Green Jb
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
Ray Potter
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
 

Similar to Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server (20)

Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yours
 
Webinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and moreWebinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and more
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco router
 
Server hardening
Server hardeningServer hardening
Server hardening
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
Squid proxy server
Squid proxy serverSquid proxy server
Squid proxy server
 
How Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us VulnerableHow Smart Thermostats Have Made Us Vulnerable
How Smart Thermostats Have Made Us Vulnerable
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Asterisksecuritykingasterisk 130723131448-phpapp01
Asterisksecuritykingasterisk 130723131448-phpapp01Asterisksecuritykingasterisk 130723131448-phpapp01
Asterisksecuritykingasterisk 130723131448-phpapp01
 
What Is IVR ?
What Is IVR ?What Is IVR ?
What Is IVR ?
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 

More from Nagios

Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core
Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios CoreNrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core
Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core
Nagios
 

More from Nagios (20)

Nagios XI Best Practices
Nagios XI Best PracticesNagios XI Best Practices
Nagios XI Best Practices
 
Jesse Olson - Nagios Log Server Architecture Overview
Jesse Olson - Nagios Log Server Architecture OverviewJesse Olson - Nagios Log Server Architecture Overview
Jesse Olson - Nagios Log Server Architecture Overview
 
Trevor McDonald - Nagios XI Under The Hood
Trevor McDonald - Nagios XI Under The HoodTrevor McDonald - Nagios XI Under The Hood
Trevor McDonald - Nagios XI Under The Hood
 
Sean Falzon - Nagios - Resilient Notifications
Sean Falzon - Nagios - Resilient NotificationsSean Falzon - Nagios - Resilient Notifications
Sean Falzon - Nagios - Resilient Notifications
 
Marcus Rochelle - Landis+Gyr - Monitoring with Nagios Enterprise Edition
Marcus Rochelle - Landis+Gyr - Monitoring with Nagios Enterprise EditionMarcus Rochelle - Landis+Gyr - Monitoring with Nagios Enterprise Edition
Marcus Rochelle - Landis+Gyr - Monitoring with Nagios Enterprise Edition
 
Janice Singh - Writing Custom Nagios Plugins
Janice Singh - Writing Custom Nagios PluginsJanice Singh - Writing Custom Nagios Plugins
Janice Singh - Writing Custom Nagios Plugins
 
Dave Williams - Nagios Log Server - Practical Experience
Dave Williams - Nagios Log Server - Practical ExperienceDave Williams - Nagios Log Server - Practical Experience
Dave Williams - Nagios Log Server - Practical Experience
 
Mike Weber - Nagios and Group Deployment of Service Checks
Mike Weber - Nagios and Group Deployment of Service ChecksMike Weber - Nagios and Group Deployment of Service Checks
Mike Weber - Nagios and Group Deployment of Service Checks
 
Mike Guthrie - Revamping Your 10 Year Old Nagios Installation
Mike Guthrie - Revamping Your 10 Year Old Nagios InstallationMike Guthrie - Revamping Your 10 Year Old Nagios Installation
Mike Guthrie - Revamping Your 10 Year Old Nagios Installation
 
Bryan Heden - Agile Networks - Using Nagios XI as the platform for Monitoring...
Bryan Heden - Agile Networks - Using Nagios XI as the platform for Monitoring...Bryan Heden - Agile Networks - Using Nagios XI as the platform for Monitoring...
Bryan Heden - Agile Networks - Using Nagios XI as the platform for Monitoring...
 
Matt Bruzek - Monitoring Your Public Cloud With Nagios
Matt Bruzek - Monitoring Your Public Cloud With NagiosMatt Bruzek - Monitoring Your Public Cloud With Nagios
Matt Bruzek - Monitoring Your Public Cloud With Nagios
 
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
Lee Myers - What To Do When Nagios Notification Don't Meet Your Needs.
 
Eric Loyd - Fractal Nagios
Eric Loyd - Fractal NagiosEric Loyd - Fractal Nagios
Eric Loyd - Fractal Nagios
 
Marcelo Perazolo, Lead Software Architect, IBM Corporation - Monitoring a Pow...
Marcelo Perazolo, Lead Software Architect, IBM Corporation - Monitoring a Pow...Marcelo Perazolo, Lead Software Architect, IBM Corporation - Monitoring a Pow...
Marcelo Perazolo, Lead Software Architect, IBM Corporation - Monitoring a Pow...
 
Thomas Schmainda - Tracking Boeing Satellites With Nagios - Nagios World Conf...
Thomas Schmainda - Tracking Boeing Satellites With Nagios - Nagios World Conf...Thomas Schmainda - Tracking Boeing Satellites With Nagios - Nagios World Conf...
Thomas Schmainda - Tracking Boeing Satellites With Nagios - Nagios World Conf...
 
Nagios World Conference 2015 - Scott Wilkerson Opening
Nagios World Conference 2015 - Scott Wilkerson OpeningNagios World Conference 2015 - Scott Wilkerson Opening
Nagios World Conference 2015 - Scott Wilkerson Opening
 
Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core
Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios CoreNrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core
Nrpe - Nagios Remote Plugin Executor. NRPE plugin for Nagios Core
 
Nagios Log Server - Features
Nagios Log Server - FeaturesNagios Log Server - Features
Nagios Log Server - Features
 
Nagios Network Analyzer - Features
Nagios Network Analyzer - FeaturesNagios Network Analyzer - Features
Nagios Network Analyzer - Features
 
Nagios Conference 2014 - Dorance Martinez Cortes - Customizing Nagios
Nagios Conference 2014 - Dorance Martinez Cortes - Customizing NagiosNagios Conference 2014 - Dorance Martinez Cortes - Customizing Nagios
Nagios Conference 2014 - Dorance Martinez Cortes - Customizing Nagios
 

Recently uploaded

£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))
£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))
£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))
Obat Cytotec
 
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pillsIn Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
Abortion pills in Riyadh +966572737505 get cytotec
 
Abortion pills in Jeddah Saudi Arabia! +966572737505 Where to buy cytotec
Abortion pills in Jeddah Saudi Arabia! +966572737505 Where to buy cytotecAbortion pills in Jeddah Saudi Arabia! +966572737505 Where to buy cytotec
Abortion pills in Jeddah Saudi Arabia! +966572737505 Where to buy cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
mestb
 
Abortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotec
Abortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotecAbortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotec
Abortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样
办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样
办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样
vwymvu
 
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
wsppdmt
 
一比一原版(CSUEB毕业证书)东湾分校毕业证原件一模一样
一比一原版(CSUEB毕业证书)东湾分校毕业证原件一模一样一比一原版(CSUEB毕业证书)东湾分校毕业证原件一模一样
一比一原版(CSUEB毕业证书)东湾分校毕业证原件一模一样
ayoqf
 
Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...
Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...
Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...
DUBAI (+971)581248768 BUY ABORTION PILLS IN ABU dhabi...Qatar
 
如何办理(AUT毕业证书)奥克兰理工大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(AUT毕业证书)奥克兰理工大学毕业证成绩单本科硕士学位证留信学历认证如何办理(AUT毕业证书)奥克兰理工大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(AUT毕业证书)奥克兰理工大学毕业证成绩单本科硕士学位证留信学历认证
mestb
 
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
oopacde
 
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get CytotecBuy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
Vibration of Continuous Systems.pjjjjjjjjptx
Vibration of Continuous Systems.pjjjjjjjjptxVibration of Continuous Systems.pjjjjjjjjptx
Vibration of Continuous Systems.pjjjjjjjjptx
joshuaclack73
 
Abortion Pills in Jeddah |+966572737505 | Get Cytotec
Abortion Pills in Jeddah |+966572737505 | Get CytotecAbortion Pills in Jeddah |+966572737505 | Get Cytotec
Abortion Pills in Jeddah |+966572737505 | Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 

Recently uploaded (20)

Premium ℂall Girls Navi Mumbai Hire Me Neha 9910780858 Top Class ℂall Girl Se...
Premium ℂall Girls Navi Mumbai Hire Me Neha 9910780858 Top Class ℂall Girl Se...Premium ℂall Girls Navi Mumbai Hire Me Neha 9910780858 Top Class ℂall Girl Se...
Premium ℂall Girls Navi Mumbai Hire Me Neha 9910780858 Top Class ℂall Girl Se...
 
£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))
£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))
£ HAMIL 5 BULAN £ CARA MENGGUGURKAN KANDUNGAN USIA 5 BULAN ((087776558899))
 
NO1 Best Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addre...
NO1 Best Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addre...NO1 Best Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addre...
NO1 Best Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi Addre...
 
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pillsIn Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
In Riyadh Saudi Arabia |+966572737505 | Buy Cytotec| Get Abortion pills
 
Abortion pills in Jeddah Saudi Arabia! +966572737505 Where to buy cytotec
Abortion pills in Jeddah Saudi Arabia! +966572737505 Where to buy cytotecAbortion pills in Jeddah Saudi Arabia! +966572737505 Where to buy cytotec
Abortion pills in Jeddah Saudi Arabia! +966572737505 Where to buy cytotec
 
Best CPU for gaming Intel Core i9-14900K 14th Gen Desktop CPU
Best CPU for gaming Intel Core i9-14900K 14th Gen Desktop CPUBest CPU for gaming Intel Core i9-14900K 14th Gen Desktop CPU
Best CPU for gaming Intel Core i9-14900K 14th Gen Desktop CPU
 
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(SUT毕业证书)斯威本科技大学毕业证成绩单本科硕士学位证留信学历认证
 
NON INVASIVE GLUCOSE BLODD MONITORING SYSTEM (1) (2) (1).pptx
NON INVASIVE GLUCOSE BLODD MONITORING SYSTEM (1) (2) (1).pptxNON INVASIVE GLUCOSE BLODD MONITORING SYSTEM (1) (2) (1).pptx
NON INVASIVE GLUCOSE BLODD MONITORING SYSTEM (1) (2) (1).pptx
 
Abortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotec
Abortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotecAbortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotec
Abortion pills in Riyadh Saudi Arabia!+966572737505 ) Where to get cytotec
 
办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样
办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样
办理(uw学位证书)美国华盛顿大学毕业证续费收据一模一样
 
NO1 Pakistan Best vashikaran specialist in UK USA UAE London Dubai Canada Ame...
NO1 Pakistan Best vashikaran specialist in UK USA UAE London Dubai Canada Ame...NO1 Pakistan Best vashikaran specialist in UK USA UAE London Dubai Canada Ame...
NO1 Pakistan Best vashikaran specialist in UK USA UAE London Dubai Canada Ame...
 
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
 
一比一原版(CSUEB毕业证书)东湾分校毕业证原件一模一样
一比一原版(CSUEB毕业证书)东湾分校毕业证原件一模一样一比一原版(CSUEB毕业证书)东湾分校毕业证原件一模一样
一比一原版(CSUEB毕业证书)东湾分校毕业证原件一模一样
 
Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...
Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...
Contact +971581248768 to buy 100% original and safe abortion pills in Dubai a...
 
Cyber-Security-power point presentation.
Cyber-Security-power point presentation.Cyber-Security-power point presentation.
Cyber-Security-power point presentation.
 
如何办理(AUT毕业证书)奥克兰理工大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(AUT毕业证书)奥克兰理工大学毕业证成绩单本科硕士学位证留信学历认证如何办理(AUT毕业证书)奥克兰理工大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(AUT毕业证书)奥克兰理工大学毕业证成绩单本科硕士学位证留信学历认证
 
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
在线办理(scu毕业证)南十字星大学毕业证电子版学位证书注册证明信
 
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get CytotecBuy Abortion pills in Riyadh |+966572737505 | Get Cytotec
Buy Abortion pills in Riyadh |+966572737505 | Get Cytotec
 
Vibration of Continuous Systems.pjjjjjjjjptx
Vibration of Continuous Systems.pjjjjjjjjptxVibration of Continuous Systems.pjjjjjjjjptx
Vibration of Continuous Systems.pjjjjjjjjptx
 
Abortion Pills in Jeddah |+966572737505 | Get Cytotec
Abortion Pills in Jeddah |+966572737505 | Get CytotecAbortion Pills in Jeddah |+966572737505 | Get Cytotec
Abortion Pills in Jeddah |+966572737505 | Get Cytotec
 

Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server

  • 1. Securing Your Nagios Server Spenser Reinhardt SReinhardt@nagios.com Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge. — Bruce Schneier
  • 2. 2 Who am I? Nagios employee (2012) Active Def Con member and speaker OWASP Member CTF Creator Better be despised for too anxious apprehensions, than ruined by too confident security. — Edmund Burke
  • 3. 3 Why Should You Care? Yearly number of attacks are only increasing Sophistication of attacks are ever increasing Whether you like it or not, chances are you will be a target Nagios servers, hold many privileged keys. Privacy is not for the passive. — Jeffrey Rosen
  • 4. 4 Overview Apache Modifications Database Alterations Iptables Rules OS Lockdown Better be despised for too anxious apprehensions, than ruined by too confident security. — Edmund Burke
  • 5. 5 Why you should consider this? Vital network information Notifies administrators and teams of issues Relatively low difficulty The Defenders Dilemma “An attacker need only find one way onto the network, a defender must close all holes.”
  • 6. 6 Apache Modifications Overview Remove Apache and PHP version-ing Virtual host restrictions Forced SSL redirection Stronger SSL certificates and algorithms Mod_Security “Security through obscurity, is only secure until it is discovered”
  • 7. 7 Removing Version Information Apache: /etc/httpd/conf/httpd.conf ServerTokens ProductOnly ServerSignature Off PHP: /etc/php.ini expose_php Off HTTP/1.1 302 Found Date: Sat, 21 Sep 2013 15:51:01 GMT Server: Apache Location: https:/// Connection: close Content-Type: text/html; charset=iso-8859-1 Security breaches usually entail more recovery efforts than acts of God. Unlike proverbial lightning, breaches of security can be counted on to strike twice unless the route of compromise has been shut off. — FedCIRC
  • 8. 8 Restricting Apache Virtual Hosts /etc/http/conf.d/nagiosxi.conf (default) Order allow,deny Allow from all # Order deny,allow # Deny from all # Allow from 127.0.0.1 /etc/http/conf.d/nagiosxi.conf (restricted) # Order allow,deny # Allow from all Order deny,allow Deny from all Allow from 127.0.0.1 192.168.168.0/24 10.1.2.0/255.255.255.0 nagios.com Order rules are opposite IP tables, last evaluated rule that matches connections applies Security is always excessive until it's not enough. — Robbie Sinclair, Head of Security, Country Energy, NSW Australia
  • 9. 9 Force SSL Redirection /etc/httpd/conf.d/https.conf RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} Forces all pages loaded with http, to redirect to https. Pages can be requested insecurely still, but will be redirected immidiately There are risks and costs to a program of action--but they are far less than the long range cost of comfortable inaction. — John F. Kennedy
  • 10. 10 Increasing SSL Security As openssl requires a password for aes256, we will need to generate a new key, give it a password, and then remove the password before we generate anything else: cd /etc/pki/tls/private openssl genrsa -aes256 -out ca.key.pass 2048 OR openssl genrsa -aes256 -out ca.key.pass 4096 Type in the password you used above when asked as the following command will strip the password: openssl rsa -in ca.key.pass -out ca.key openssl req -new -key ca.key -out ca.csr openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt cp ca.crt ../certs/ One person's "paranoia" is another person's "engineering redundancy." — Marcus J. Ranum
  • 11. 11 Increasing SSL Security (2) Modify the files in /etc/httpd/conf.d to add the following lines directly after the </directory> line. <VirtualHost *:443> SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite DHE-RSA-AES256-SHA:ALL:!ADH:!EXPORT:!SSLv2:!RC2:! CAMELLIA256:!3DES:!DES-CBC3-SHA:!RC4:+HIGH:!MEDIUM:!LOW SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key <Directory "/usr/local/nagiosxi/html"> AllowOverride All </Directory> </VirtualHost> Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders. — Ronald Reagan
  • 12. 12 Mod_Security Install Mod_Security Packages yum install mod_security_crs-extras mod_security mod_security_crs Download and copy my exclusions rule list cd /tmp wget http://assets.nagios.com/downloads/nagiosxi/misc/mod_security_excluded_rules.conf cp /tmp/mod_security_excluded_rules.conf /etc/httpd/conf.d/ Troubleshooting tail -f /var/log/httpd/error_log | grep -o "/etc/httpd/modsecurity.d/activated_rules/.{0,75}” /etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] SecRuleRemoveById [ID Number] The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein
  • 13. 13 Database Alterations – Root User Root MYSQL Password mysqladmin -u root -pnagiosxi password NewPassword /root/scripts/automysqlbackup PASSWORD=NewPassword /usr/local/nagiosxi/scripts/backup_xi.sh mysqlpass="NewPassword" /usr/local/nagiosxi/scripts/restore_xi.sh mysqlpass="NewPassword" /usr/local/nagiosxi/var/xi-sys.cfg mysqlpass='NewPassword' Phishing is a major problem because there really is no patch for human stupidity — Mike Danseglio
  • 14. 14 Database Alteration – Changing Passwords Changing a MySQL password, non-root users mysqladmin -u root -p use mysql; set password for 'ndoutils'@localhost = password('NewPassword'); flush privileges; quit; When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. — David Brin
  • 15. 15 Database Alterations – NagiosQL User /usr/local/nagiosxi/html/config.inc.php: "pwd" => 'n@gweb', "password" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.dist: "pwd" => 'n@gweb', "password" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.saved: "pwd" => 'n@gweb', "password" => 'n@gweb', /usr/local/nagiosxi/etc/components/ccm_config.inc.php: "password" => "n@gweb", /usr/local/nagiosxi/html/includes/components/ccm/config.inc.php: 'password' => 'n@gweb', /usr/local/nagiosxi/html/includes/components/ccm/ccm.inc.php: $password = grab_array_var($cfg['db_info' ['nagiosql'],'pwd','n@gweb'); Men are only as good as their technical development allows them to be. — George Orwell
  • 16. 16 Database Alterations – Ndoutils User /usr/local/nagios/etc/ndo2db.cfg db_pass=n@gweb /usr/local/nagiosxi/html/config.inc.php: "pwd" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.dist: "pwd" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.saved: "pwd" => 'n@gweb', /usr/local/nagvis/etc/nagvis.ini.php dbpass="n@gweb" Be careful and you will save many men from the sin of robbing you. — Ed Howe
  • 17. 17 Database Alterations - Postgres psql -U nagiosxi ALTER USER nagiosxi WITH PASSWORD 'NewPassword'; /usr/local/nagiosxi/var/xi-sys.cfg pgsqlpass='nagiosxi' /usr/local/nagiosxi/scripts/backup_xi.sh pg_dump -c -U nagiosxi nagiosxi > $mydir/pgsql/nagiosxi.sql /usr/local/nagiosxi/scripts/restore_xi.sh psql -U nagiosxi nagiosxi < pgsql/nagiosxi.sql /usr/local/nagiosxi/html/config.inc.php: "pwd" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.dist: "pwd" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.saved: "pwd" => 'n@gweb', One of the tests of leadership is the ability to recognize a problem before it becomes an emergency. — Arnold Glascow
  • 18. 18 Locking Down IPtables iptables -F iptables -X iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 22 -s 192.168.1.25 -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 80 -s 192.168.1.25 -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 443 -s 192.168.1.45 -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 5667 -s 192.168.1.200 -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 162 -s 192.168.1.0/24. -j ACCEPT Iptables -A INPUT -m state --state NEW -p udp --dport 53 -s 192.168.1.200 -j ACCEPT Iptables -A INPUT -m state --state ESTABLISHED -p tcp -s 192.168.1.0/24 -j ACCEPT iptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT Service iptables save It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders! — Robert Morris
  • 19. 19 OS Hardening ASLR Exec Shield sshd configuration aide SeLinux GRSecurity Kernel Patches Like the death of a celebrity from a drug overdose, publicized data loss incidents remind us that we should probably do something about taking better care of our data. But we usually don't, because we quickly remind ourselves that backups are boring as h***, and that it's shark week on Discovery. — Nik Cubrilovic
  • 20. 20 ASLR Exec Shield Address Space Layout Randomization kernel.randomize_va_space = 1 Exec Shield kernel.exec-shield = 1 Both can be enabled by modifying /ect/sysctl.conf and running sysctl -p or rebooting the system. A good programmer is someone who always looks both ways before crossing a one-way street. — Doug Linder
  • 21. 21 SSHD Config /etc/ssh/sshd_conf Protocol 2 SyslogFacility AUTH LoginGraceTime 1m PermitRootLogin no MaxAuthTries 3 MaxSessions 5 MaxStartups 3 IgnoreRhosts yes PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes X11Forwarding no The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. — Nathaniel Borenstein
  • 22. 22 Aide installation and configuration yum install aide curl http:assets.nagios.com/downloads/nagiosxi/xi_security/aid e.conf.{selinux,non-se} -o /etc/aide.conf aide --init cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz aide –check System updates, nagios updates, config changes, etc will cause aide warnings. AIDE, version 0.14 ### All files match AIDE database. Looks okay! The best way to get management excited about a disaster plan is to burn down the building across the street. — Dan Erwin, Security Officer, Dow Chemical Co
  • 23. 23 SELinux Initially created and still greatly maintained by NSA Enforces Mandatory Access Control (MAC) Application and User Domain Restrictions Execution restrictions Port use restrictions Additional file permissions But not quite ready for Nagios XI In theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can't. — M. Dacier, Eurecom Institute
  • 24. 24 GRSecurityPaX Kernel based security patches True ASLR and Stack protections Role-based Access Control (RBAC) Chroot advantages Breaks RHEL Warranty by kernel modification You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable. — Daryl White, DOI CIO
  • 25. 25 Questions? - Thank You! History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did. — Bruce Schneier