Home Directory Plugins Security check_heartbleed

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

Directory Tree

check_heartbleed

Rating
10 votes
Favoured:
0
Current Version
0.6
Last Release Date
2014-04-18
Compatible With
  • Nagios 2.x
  • Nagios 3.x
  • Nagios 4.x
  • Nagios XI
Hits
36337
Nagios CSP

Meet The New Nagios Core Services Platform

Built on over 25 years of monitoring experience, the Nagios Core Services Platform provides insightful monitoring dashboards, time-saving monitoring wizards, and unmatched ease of use. Use it for free indefinitely.

Monitoring Made Magically Better

  • Nagios Core on Overdrive
  • Powerful Monitoring Dashboards
  • Time-Saving Configuration Wizards
  • Open Source Powered Monitoring On Steroids
  • And So Much More!
check_heartbleed allows you to check for the Heartbleed Vulnerability (CVE-2014-0160) of openssl on various systems.
Version - 0.6 : Added TLSv1.0 and SSLv3.0 support
If no version is specified, checks all versions.
Altered output somewhat.
Added optional verbose output

Version - 0.5 : Added socket timeout option with default to 10 seconds
Changed no data received to unknown, was returning OK.

Version - 0.4 : Try: Except: on all socket interactions.
Spelling mistake.

Version - 0.3 : Properly catches socket connection error.
Reworking of internal logic
Alterations of some unknown messages

Version - 0.2 : Now works with Python 2.4+
# /usr/local/nagios/libexec/check_heartbleed.py -h
usage: check_heartbleed.py server [options]

Test for SSL heartbeat vulnerability (CVE-2014-0160)

options:
-h, --help show this help message and exit
-H HOST, --host=HOST Host to connect to (default: 127.0.0.1)
-p PORT, --port=PORT TCP port to test (default: 443)
-v VERSION, --version=VERSION
TLS or SSL version to test [TLSv1.0(0), TLSv1.1(1),
TLSv1.2(2), or SSLv3.0(3)] (default: all)
-u, --udp Use TCP or UDP protocols, no arguments needed. This
does not work presently, keep to TCP. (default: TCP)
-t TIMEOUT, --timeout=TIMEOUT
Plugin timeout length (default: 10)
-V, --verbose Print verbose output, including hexdumps of packets.


Example Usage:

# ./check_heartbleed.py -H yahoo.com -p 443 -v 1
OK: yahoo.com TLSv1.0 is not vulnerable
# echo $?
0
# ./check_heartbleed.py -H vulnerable.site.com -p 443 -v 1
CRITICAL: vulnerable.site.com TLSv1.0 is vulnerable
# echo $?
2
# ./check_heartbleed.py -H vulnerable.site.com
CRITICAL: Server vulnerable.site.com TLSv1.0 is vulnerable. TLSv1.1 is vulnerable. TLSv1.2 is vulnerable. SSLv3.0 is vulnerable.

Example Command:

define command {
command_name check_heartbleed
command_line $USER1$/check_heartbleed.py -H $HOSTADDRESS$ -p 443 -v 1
}
Reviews (8)
Hey,

The plugin works great for some hosts, but is failing for a fairly large number, not sure if this is an issue at my side but I don't think so -

[root@host scripts]# ./check_heartbleed.py -H www.google.com -p 443
OK: Server www.google.com TLSv1.0 is not vulnerable. TLSv1.1 is not vulnerable. TLSv1.2 is not vulnerable. SSLv3.0 is not vulnerable.

[root@host scripts]# ./check_heartbleed.py -H www.test.com -p 443
UNKNOWN: Server www.test.com closed connection without sending Server Hello.



Any thoughts?
In Fortigate devices with FortiOS affected by Heartbleed (FGxxx-5.00-FW-build208-130603), plugin returns OK instead CRITICAL.

When we check this devices with NMAP and ssl-heartbleed.nse script, the result is VULNERABLE.
by, April 14, 2014
0 of 1 people found this review helpful
As of 14/4/14 (v0.3), All known issues with python 2.4+ should be resolved. There has been a -H flag per standard nagios plugins, and additional error handling. Please try it again and let us know if issues persist.
hi,

i've tried to use it on: rhel 5.x (
Package python-2.4.3-56.el5.x86_64 already installed)
but i get the following error msg:

---------------------------------------
:~>./check_hearbleed.py
---------------------------------------
File "./check_hearbleed.py", line 62
pdat = ' '.join((c if 32
Below is the steps I followed:
1. downloaded “Check_heartbleed.txt” to “check_heartbleed.py”
2. moved to “/usr/local/nagios/libexec/”
3. chmod –R 777 check_heartbleed.py

I am getting below error if I execute the script.. any clue on this?

[root@localhost libexec]# ./check_heartbleed.py 10.1.71.49 -p 443
Traceback (most recent call last):
File "./check_heartbleed.py", line 151, in
main()
File "./check_heartbleed.py", line 132, in main
s.connect((args[0], opts.port))
File "", line 1, in connect
socket.error: [Errno 111] Connection refused
byedgood1, April 11, 2014
Im getting a syntax error:

File "./check_heartbleed.py", line 62
pdat = '.join((c if 32

python version:
Python 2.4.3 (#1, Oct 23 2012, 22:02:41)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-54)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
File "./check_heartbleed.py", line 62
pdat = '.join((c if 32
bynkrishna, April 10, 2014
0 of 1 people found this review helpful
Hi,

I'm getting the following syntax error while executing the plugin.
/usr/local/nagios/libexec/check_heartbleed.py localhost -p 443 -v 1
File "/usr/local/nagios/libexec/check_heartbleed.py", line 62
pdat = ''.join((c if 32