Search Exchange
Search All Sites
Nagios Live Webinars
Let our experts show you how Nagios can help your organization.Login
Directory Tree
check_heartbleed
Meet The New Nagios Core Services Platform
Built on over 25 years of monitoring experience, the Nagios Core Services Platform provides insightful monitoring dashboards, time-saving monitoring wizards, and unmatched ease of use. Use it for free indefinitely.
Monitoring Made Magically Better
- Nagios Core on Overdrive
- Powerful Monitoring Dashboards
- Time-Saving Configuration Wizards
- Open Source Powered Monitoring On Steroids
- And So Much More!
Version - 0.6 : Added TLSv1.0 and SSLv3.0 support
If no version is specified, checks all versions.
Altered output somewhat.
Added optional verbose output
Version - 0.5 : Added socket timeout option with default to 10 seconds
Changed no data received to unknown, was returning OK.
Version - 0.4 : Try: Except: on all socket interactions.
Spelling mistake.
Version - 0.3 : Properly catches socket connection error.
Reworking of internal logic
Alterations of some unknown messages
Version - 0.2 : Now works with Python 2.4+
# /usr/local/nagios/libexec/check_heartbleed.py -h
usage: check_heartbleed.py server [options]
Test for SSL heartbeat vulnerability (CVE-2014-0160)
options:
-h, --help show this help message and exit
-H HOST, --host=HOST Host to connect to (default: 127.0.0.1)
-p PORT, --port=PORT TCP port to test (default: 443)
-v VERSION, --version=VERSION
TLS or SSL version to test [TLSv1.0(0), TLSv1.1(1),
TLSv1.2(2), or SSLv3.0(3)] (default: all)
-u, --udp Use TCP or UDP protocols, no arguments needed. This
does not work presently, keep to TCP. (default: TCP)
-t TIMEOUT, --timeout=TIMEOUT
Plugin timeout length (default: 10)
-V, --verbose Print verbose output, including hexdumps of packets.
Example Usage:
# ./check_heartbleed.py -H yahoo.com -p 443 -v 1
OK: yahoo.com TLSv1.0 is not vulnerable
# echo $?
0
# ./check_heartbleed.py -H vulnerable.site.com -p 443 -v 1
CRITICAL: vulnerable.site.com TLSv1.0 is vulnerable
# echo $?
2
# ./check_heartbleed.py -H vulnerable.site.com
CRITICAL: Server vulnerable.site.com TLSv1.0 is vulnerable. TLSv1.1 is vulnerable. TLSv1.2 is vulnerable. SSLv3.0 is vulnerable.
Example Command:
define command {
command_name check_heartbleed
command_line $USER1$/check_heartbleed.py -H $HOSTADDRESS$ -p 443 -v 1
}
usage: check_heartbleed.py server [options]
Test for SSL heartbeat vulnerability (CVE-2014-0160)
options:
-h, --help show this help message and exit
-H HOST, --host=HOST Host to connect to (default: 127.0.0.1)
-p PORT, --port=PORT TCP port to test (default: 443)
-v VERSION, --version=VERSION
TLS or SSL version to test [TLSv1.0(0), TLSv1.1(1),
TLSv1.2(2), or SSLv3.0(3)] (default: all)
-u, --udp Use TCP or UDP protocols, no arguments needed. This
does not work presently, keep to TCP. (default: TCP)
-t TIMEOUT, --timeout=TIMEOUT
Plugin timeout length (default: 10)
-V, --verbose Print verbose output, including hexdumps of packets.
Example Usage:
# ./check_heartbleed.py -H yahoo.com -p 443 -v 1
OK: yahoo.com TLSv1.0 is not vulnerable
# echo $?
0
# ./check_heartbleed.py -H vulnerable.site.com -p 443 -v 1
CRITICAL: vulnerable.site.com TLSv1.0 is vulnerable
# echo $?
2
# ./check_heartbleed.py -H vulnerable.site.com
CRITICAL: Server vulnerable.site.com TLSv1.0 is vulnerable. TLSv1.1 is vulnerable. TLSv1.2 is vulnerable. SSLv3.0 is vulnerable.
Example Command:
define command {
command_name check_heartbleed
command_line $USER1$/check_heartbleed.py -H $HOSTADDRESS$ -p 443 -v 1
}
Reviews (8)
byCWSI, January 7, 2016
Hey,
The plugin works great for some hosts, but is failing for a fairly large number, not sure if this is an issue at my side but I don't think so -
[root@host scripts]# ./check_heartbleed.py -H www.google.com -p 443
OK: Server www.google.com TLSv1.0 is not vulnerable. TLSv1.1 is not vulnerable. TLSv1.2 is not vulnerable. SSLv3.0 is not vulnerable.
[root@host scripts]# ./check_heartbleed.py -H www.test.com -p 443
UNKNOWN: Server www.test.com closed connection without sending Server Hello.
Any thoughts?
The plugin works great for some hosts, but is failing for a fairly large number, not sure if this is an issue at my side but I don't think so -
[root@host scripts]# ./check_heartbleed.py -H www.google.com -p 443
OK: Server www.google.com TLSv1.0 is not vulnerable. TLSv1.1 is not vulnerable. TLSv1.2 is not vulnerable. SSLv3.0 is not vulnerable.
[root@host scripts]# ./check_heartbleed.py -H www.test.com -p 443
UNKNOWN: Server www.test.com closed connection without sending Server Hello.
Any thoughts?
byfundacionrts, April 15, 2014
In Fortigate devices with FortiOS affected by Heartbleed (FGxxx-5.00-FW-build208-130603), plugin returns OK instead CRITICAL.
When we check this devices with NMAP and ssl-heartbleed.nse script, the result is VULNERABLE.
When we check this devices with NMAP and ssl-heartbleed.nse script, the result is VULNERABLE.
As of 14/4/14 (v0.3), All known issues with python 2.4+ should be resolved. There has been a -H flag per standard nagios plugins, and additional error handling. Please try it again and let us know if issues persist.
byemusic, April 13, 2014
hi,
i've tried to use it on: rhel 5.x (
Package python-2.4.3-56.el5.x86_64 already installed)
but i get the following error msg:
---------------------------------------
:~>./check_hearbleed.py
---------------------------------------
File "./check_hearbleed.py", line 62
pdat = ' '.join((c if 32
i've tried to use it on: rhel 5.x (
Package python-2.4.3-56.el5.x86_64 already installed)
but i get the following error msg:
---------------------------------------
:~>./check_hearbleed.py
---------------------------------------
File "./check_hearbleed.py", line 62
pdat = ' '.join((c if 32
byknatesan1, April 11, 2014
Below is the steps I followed:
1. downloaded “Check_heartbleed.txt” to “check_heartbleed.py”
2. moved to “/usr/local/nagios/libexec/”
3. chmod –R 777 check_heartbleed.py
I am getting below error if I execute the script.. any clue on this?
[root@localhost libexec]# ./check_heartbleed.py 10.1.71.49 -p 443
Traceback (most recent call last):
File "./check_heartbleed.py", line 151, in
main()
File "./check_heartbleed.py", line 132, in main
s.connect((args[0], opts.port))
File "", line 1, in connect
socket.error: [Errno 111] Connection refused
1. downloaded “Check_heartbleed.txt” to “check_heartbleed.py”
2. moved to “/usr/local/nagios/libexec/”
3. chmod –R 777 check_heartbleed.py
I am getting below error if I execute the script.. any clue on this?
[root@localhost libexec]# ./check_heartbleed.py 10.1.71.49 -p 443
Traceback (most recent call last):
File "./check_heartbleed.py", line 151, in
main()
File "./check_heartbleed.py", line 132, in main
s.connect((args[0], opts.port))
File "", line 1, in connect
socket.error: [Errno 111] Connection refused
byedgood1, April 11, 2014
Im getting a syntax error:
File "./check_heartbleed.py", line 62
pdat = '.join((c if 32
python version:
Python 2.4.3 (#1, Oct 23 2012, 22:02:41)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-54)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
File "./check_heartbleed.py", line 62
pdat = '.join((c if 32
python version:
Python 2.4.3 (#1, Oct 23 2012, 22:02:41)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-54)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
byMarkJenks, April 11, 2014
File "./check_heartbleed.py", line 62
pdat = '.join((c if 32
pdat = '.join((c if 32
Hi,
I'm getting the following syntax error while executing the plugin.
/usr/local/nagios/libexec/check_heartbleed.py localhost -p 443 -v 1
File "/usr/local/nagios/libexec/check_heartbleed.py", line 62
pdat = ''.join((c if 32
I'm getting the following syntax error while executing the plugin.
/usr/local/nagios/libexec/check_heartbleed.py localhost -p 443 -v 1
File "/usr/local/nagios/libexec/check_heartbleed.py", line 62
pdat = ''.join((c if 32