OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: Oxygen61 on January 19, 2017, 01:46:53 pm
-
Hey guys,
i am troubleshooting since 2 days now and i can't see the light at the end of the tunnel. :(
What i try to accomplish is to led my Nagios Server talk to my OPNsense over TCP 5666 and let the Firewall talk back and give some feedback about "average load", "root folder", tcp check and some other services like ntp, ssh and icmp.
What i did was the following:
- install nrpe out of the repository.
- cp /usr/local/etc/nrpe.cfg-sample /usr/local/etc/nrpe.cfg
- changed allowed hosts inside of nrpe.cfg and put in the ip of my Nagios Server + 127.0.0.1.
- created a firewall rule (floating Rule - first match) accepting incoming traffic on port 5666
(To make sure that rules are not the problem, i kinda changed the rule to "PERMIT ANY ANY port 5666" over time)
- enable NRPE by doing: ee /etc/rc.conf --> nrpe2_enable="YES"
(Btw... is it normal that the file was not there from the beginning?)
- chown -R nagios:nagios /usr/local/libexec/nagios/
- insert into /etc/services --> nrpe 5666/tcp # NRPE
- inside /etc/hosts.allow i put in two rules (because i wasn't sure about the syntax)
nrpe : xxx.xxx.xxx.xxx/255.255.255.0 : allow
and
nrpe : xxx.xxx.xxx.xxx/24 : allow
- sudo /usr/local/etc/rc.d/nrpe2 start
- ps 40630
output: PID TT STAT TIME COMMAND
40630 - Is 0:00.00 /usr/local/sbin/nrpe2 -c /usr/local/etc/nrpe.cfg -d
Things i did to troubleshoot my problem:
- From Nagios: telnet <remote_ip> 5666 ---> worked
- From Nagios: nmap <remote_ip> ---> was able to see open Port 5666
- tried doing the "-t 20" trick which did not change anything.
- From OPNsense: /usr/local/libexec/nagios/check_nrpe2 -H localhost ---> "NRPE 2.15" as response
- ps -aef | grep nrpe --> gives me no response
- ps ax | grep nrpe --> gives me:
40630 - Is 0:00.00 /usr/local/sbin/nrpe2 -c /usr/local/etc/nrpe.cfg -d
44893 0 S+ 0:00.00 grep nrpe
- From Nagios: using a check command while watching the traffic with Tcpdump.
Nagios sends 4 packets but is not getting any answers back from OPNsense.
- i watched the Firewall Log while Nagios was sending the packets but there were no entries made in the meantime.
My Problem:
- Socket Timeout After 10 Seconds
Nagios is able to check_<anything> from other remote Hosts already. For the other clients they are all using 2.13 instead of 2.15, which OPNsense is using. The issue must be something regarding the OPNsense version 2.15 which i can't find...
Did anyone ever had any trouble installing NRPE into OPNsense and can tell me what i may forgot to configure?
Best regards and thank you very much in advance :)
Oxy
-
-Push-
Noone uses Nagios to monitor their OPNsense Firewall?
Meh.. :(
-
Not me, no. But is this on 16.7 or 17.1?
-
Hey hey,
last time i tried (1-20-17) OPNsense was on 16.7.
I had no chance to upgrade to the newest version in the last few days.
As soon as i upgrade to 17.1 which will be on monday (1-30-17) i will come back with some more feedback :)
Still, thanks for the answer :)
Best regards,
Oxy
-
I got something to work. After talking to @DokuKäfer and loosing my mind a few times (sorry for that :P)
i was able to successfully check from my Nagios Server by using the "-n" option.
(-n means not to use encryption for the communication)
For example:
./check_nrpe -H <OPNsense-IP> -c check_load -a 1 2 3 10 20 30 ---> didn't work
./check_nrpe -n -H <OPNsense-IP> -c check_load -a 1 2 3 10 20 30 ---> worked
How do i activate SSL in OPNsense in order to let my NRPE Daemon talk back to nagios using SSL encryption? :-/
I googled and found a book which is saying i could use "make WITH_SSL=yes" in the port directory to activate it but "ports/net-mgmt/nrpe2" does not exist. :(
EDIT: Since i installed nrpe by using the OPNsense repository it is really hard to use common well documented troubleshoot ideas. :/
-
It's net-mgmt/nrpe, but are you using LibreSSL by any chance?
Or is the problem that we don't support the SSL option? We can change that. :)
Cheers,
Franco
-
So this is weird... FreeBSD has a "nrpe-ssl" package that switches on the SSL support. But since we only support non-conflicting packages and we can't have both nrpe and nrpe-ssl (they install the same files), we're adding SSL support to our nrpe package:
https://github.com/opnsense/tools/commit/74e8f8637f2
It will automatically install on the next firmware upgrade with 17.1.1.
If you need the package earlier let me know and I can build a snapshot (but need arch/flavour combination, e.g. amd64/LibreSSL).
Cheers,
Franco
-
Hey franco,
iam using OpenSSL by now. :-[
Or is the problem that we don't support the SSL option?
As far as i know after troubleshooting for a few days this seems to be the problem.
I couldnt find any way to use the "--enable-ssl" option while installing nrpe using "pkg install nrpe".
Since my configuration seems to work as soon as Nagios uses the "-n" option to check via unencrypted communication i came to the conclusion that the SSL option is not part of the nrpe repository installation. :-[
It will automatically install on the next firmware upgrade with 17.1.1.
If you need the package earlier let me know and I can build a snapshot (but need arch/flavour combination, e.g. amd64/LibreSSL).
perfect! no need to stress yourself even more. It's all good.. i will wait for the update. :)
-
This is recreational ;)
Working package for 16.7+amd64+OpenSSL:
# pkg add -f https://pkg.opnsense.org/snapshots/nrpe-2.15_6.txz
Cheers,
Franco
-
Thank you soo much! ;D I will try that one out tomorrow and tell you if it worked. :)
-
Hey hey,
Good news! It runs like butter! :)
After installing the package i checked wether anything changed or not but then nearly forgot to restart the daemon.
After restarting:sudo /usr/sbin/service nrpe2 restart
i looked into the nrpe2 service (/usr/sbin/nrpe2) and it is now saying:
NRPE - Nagios Remote Plugin Executor
Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org)
Version: 2.15
Last Modified: 09-06-2013
License: GPL v2 with exemptions (-l for more info)
SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
TCP Wrappers Available
I checked if Nagios can now use "check_load" and "check_users" WITH encryption and i finally successfully got a response.
Awesome! Thank you very much @franco and @DokuKäfer for helping me out here. :)
Cheers,
Oxy
-
Hi Oxy,
Props to you for figuring it out! Happy about it as it makes a nice addition to our packages. :)
Cheers,
Franco
-
Hi Oxy,
good to hear ;D
Best regards
DokuKäfer
-
Hey franco,
After upgrading to 17.1 the encrypted version of nrpe is gone.
i used the command # /usr/local/sbin/nrpe2
but the line: SSL/TLS Available: Anonymous DH Mode, OpenSSL 0.9.6 or higher required
is not there anylonger. :-/ Could u implement that again please? :)
Cheers,
Oxy
-
That was expected. The old package posted should still work, even though the ABI is wrong. You have to install it again. The correct one will be installed with 17.1.1 when it's out.
Cheers,
Franco
-
Hey hey,
aaahhh thats why. Thanks for clarifying it :)
Cheers,
Oxy