Stephen Strudwick, Pipex
Communications,
Addition of Blowfish encryption to nrpe to provide an optional alternative layer of security because the SSL encryption does not have any authentication; it only stops people snooping on the data.
Blowfish encryption has been added to the latest nrpe cvs tree as a compile time option.
Authentication will be provided via a shared key, unique to each host.
While the IP access control and SSL is good enough for most people, I felt I needed to add the blowfish code because we will be installing nrpe on many hundreds of servers, some of which will be important customer dedicated servers, on public facing lans.
By adding an authentication/encryption scheme to the security it is one more step an attacker has to take to exploit the server.
We have to demonstrate to our customers we have taken every reasonable step to protect their servers. IP access control on its own I believe is exploitable, especially if a server on the same lan is exploited and the nrpe port is attacked from that server. We have seen similar such attacks in the past.
While this is very unlikley, and even more unlikley they could exploit the daemon with command line arguments disabled it is still a potential risk.
To apply the patch to the cvs tree do:
cvs -z3
-d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/nagios co
nrpe
patch -p0 < blowfish_patch
When doing configure do:
./configure –enable-blowfish
Add the following line to the nrpe.cfg:
blowfish_secret=<secret>
And when calling check_nrpe do it like this:
./check_nrpe -H <host>-c <command> -s <secret>
Added option –enable-blowfish, if selected it disables check_for_ssl. Also defines HAVE_BF.
Also added a check for floor in the math lib: AC_CHECK_LIB(m,floor,LDFLAGS="$LDFLAGS -lm")
Added #undef HAVE_BF
Added new files.
All changes are within #ifdef HAVE_BF and closely mirror the SSL additions.
All changes are within #ifdef HAVE_BF and closely mirror the SSL additions. The exception is the key is initialised within handle_connection as memory is allocated here and it s therefore easier to cleanup.
Original freeware blowfish code by Bruce Schneier.
A set of functions to make initialised and encrypting streams of data easier as the blowfish code will only encrypt 8 bytes at a time.
These functions when encrypting data will pad it out to multiple of 8.
Functions for socket use, blowfish equivalent of sendall, recvall etc.
The patch has been tested with these systems running in the following configurations:
From inetd
As daemon
With Blowfish
With SSL
Without encryption
On:
Linux 2.4.18, I386
Solaris 2.7 sparc (with purify)
Purify Output (nrpe):
**** Purify instrumented ./nrpe (pid 17853, forked from pid 17850) ****
Purify: Searching for all memory leaks... Memory leaked: 0 bytes (0%); potentially leaked: 0 bytes (0%) Purify Heap Analysis (combining suppressed and unsuppressed blocks) Blocks Bytes Leaked 0 0 Potentially Leaked 0 0 In-Use 97 19146 ---------------------------------------- Total Allocated 97 19146 **** Purify instrumented ./nrpe (pid 17853, forked from pid 17850) **** * Program exited with status code 0. * 0 access errors, 0 total occurrences. * 0 bytes leaked. * 0 bytes potentially leaked.
Purify Output (check_nrpe):
**** Purify instrumented ./check_nrpe (pid 17694) **** Purify: Searching for all memory leaks... Memory leaked: 0 bytes (0%); potentially leaked: 0 bytes (0%) Purify Heap Analysis (combining suppressed and unsuppressed blocks) Blocks Bytes Leaked 0 0 Potentially Leaked 0 0 In-Use 84 2093 ---------------------------------------- Total Allocated 84 2093 **** Purify instrumented ./check_nrpe (pid 17694) **** * Program exited with status code 0. * 0 access errors, 0 total occurrences. * 0 bytes leaked. * 0 bytes potentially leaked.