Stephen Strudwick, Pipex
Communications,
Addition of Blowfish encryption to nrpe to provide an optional alternative layer of security because the SSL encryption does not have any authentication; it only stops people snooping on the data.
Blowfish encryption has been added to the latest source release(0.7c) as a compile time option.
Authentication will be provided via a shared key, unique to each host.
While the IP access control and SSL is good enough for most people, I felt I needed to add the blowfish code because we will be installing nrpe on many hundreds of servers, some of which will be important customer dedicated servers, on public facing lans.
By adding an authentication/encryption scheme to the security it is one more step an attacker has to take to exploit the server.
We have to demonstrate to our customers we have taken every reasonable step to protect their servers. IP access control on its own I believe is exploitable, especially if a server on the same lan is exploited and the nrpe port is attacked from that server. We have seen similar such attacks in the past.
While this is very unlikely, and even more unlikely they could exploit the daemon with command line arguments disabled it is still a potential risk.
To apply the patch to the source tree do:
patch -p0 < blowfish_patch
Add the following line to the nrpe.cfg:
blowfish_secret=<secret>
And when calling check_nrpe do it like this:
./check_nrpe -H <host>-c <command> -s <secret>