<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Enhanced CGI Security and Authentication</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.75.1">
<meta name="keywords" content="Supervision, Icinga, Nagios, Linux">
<link rel="home" href="index.html" title="Icinga Version 1.0.2 Documentation">
<link rel="up" href="ch07.html" title="Chapter 7. Security and Performance Tuning">
<link rel="prev" href="security.html" title="Security Considerations">
<link rel="next" href="tuning.html" title="Tuning Icinga For Maximum Performance">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<CENTER><IMG src="../images/logofullsize.png" border="0" alt="Icinga" title="Icinga"></CENTER>
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center">Enhanced CGI Security and
  Authentication</th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="security.html">Prev</a> </td>
<th width="60%" align="center">Chapter 7. Security and Performance Tuning</th>
<td width="20%" align="right"> <a accesskey="n" href="tuning.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="section" title="Enhanced CGI Security and Authentication">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="cgisecurity"></a><a name="cgi_security"></a>Enhanced CGI Security and
  Authentication</h2></div></div></div>
  

  <p><a name="cgisecurity.xml-intro"></a> <span class="bold"><strong>Introduction</strong></span></p>

  <p><span class="inlinemediaobject"><img src="../images/security.png"></span></p>

  <p>This is intended to be an introduction for implementation of stronger
  authentication and server security focused around the CGI web
  interface.</p>

  <p>There are many ways to enhance the security of your monitoring server
  and Icinga environment. This should not be taken as the end all
  approach to security. Instead, think of it as an introduction to some of the
  techniques you can use to tighten the security of your system. As always,
  you should do your research and use the best techniques available. Treat
  your monitoring server as it were the most important server in your network
  and you shall be rewarded.</p>

  <p><a name="cgisecurity.xml-additionaltechniques"></a> <span class="bold"><strong>Additional Techniques</strong></span></p>

  <div class="itemizedlist"><ul class="itemizedlist" type="disc">
<li class="listitem">
      <p><span class="bold"><strong>Stronger Authentication using Digest
      Authentication</strong></span> . If you have followed the <a class="link" href="quickstart.html" title="Quickstart Installation Guides">quickstart guides</a>, chances are that you are
      using Apache's <a class="link" href="http://httpd.apache.org/docs/2.2/mod/mod_auth_basic" target="_top">Basic
      Authentication</a>. Basic Authentication will send your username and
      password in "clear text" with every http request. Consider using a more
      secure method of authentication such as <a class="link" href="http://httpd.apache.org/docs/2.2/mod/mod_auth_digest" target="_top">Digest
      Authentication</a> which creates a MD5 Hash of your username and
      password to send with each request.</p>
    </li>
<li class="listitem">
      <p><span class="bold"><strong>Forcing TLS/SSL for all Web
      Communication</strong></span> . Apache provides <a class="link" href="http://en.wikipedia.org/wiki/Transport_Layer_Security" target="_top">TLS/SSL</a>
      through the <a class="link" href="http://httpd.apache.org/docs/2.2/mod/mod_ssl" target="_top">mod_ssl</a>
      module. TLS/SSL provides a secure tunnel between the client and server
      that prevents eavesdropping and tampering using strong
      publickey/privatekey cryptography.</p>
    </li>
<li class="listitem">
      <p><span class="bold"><strong>Locking Down Apache Using Access
      Controls</strong></span> . Consider locking down access to the Icinga
      box to your IP address, IP address range, or IP subnet. If you require
      access outside your network you could use VPN or SSH Tunnels. This is a
      easy and strong to limit access to HTTP/HTTPS on your system.</p>
    </li>
</ul></div>

  <p><a name="cgisecurity.xml-implementation-digest"></a> <span class="bold"><strong>Implementing Digest Authentication</strong></span></p>

  <p>The implementation of Digest Authentication is simple. You will have
  to create the new type of password file using the <a class="link" href="http://httpd.apache.org/docs/2.2/programs/htdigest" target="_top">'htdigest'</a>
  tool, then modify the Apache configuration for Icinga (typically
  /etc/httpd/conf.d/icinga.conf).</p>

  <p>Create a new passwords file using the <a class="link" href="http://httpd.apache.org/docs/2.2/programs/htdigest" target="_top">'htdigest'</a>
  tool. The difference that you will notice if you are familiar with <a class="link" href="http://httpd.apache.org/docs/2.2/programs/htpasswd" target="_top">'htpasswd'</a>
  tools is the requirement to supply a 'realm' argument. Where 'realm' in this
  case refers to the value of the 'AuthName' directive in the Apache
  configuration.</p>

  <pre class="screen"> htdigest -c /usr/local/icinga/etc/.digest_pw "Icinga Access" icingaadmin</pre>

  <p>Next, edit the Apache configuration file for Icinga (typically
  /etc/httpd/conf.d/icinga.conf) using the following example.</p>

  <pre class="screen">## BEGIN APACHE CONFIG SNIPPET - ICINGA.CONF
ScriptAlias /icinga/cgi-bin "/usr/local/icinga/sbin"
&lt;Directory "/usr/local/icinga/sbin"&gt;
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthType Digest
   AuthName "Icinga Access"
   AuthUserFile /usr/local/icinga/etc/.digest_pw
   Require valid-user
&lt;/Directory&gt;

Alias /icinga "/usr/local/icinga/share"
&lt;Directory "/usr/local/icinga/share"&gt;
   Options None
   AllowOverride None
   Order allow,deny
   Allow from all
   AuthType Digest
   AuthName "Icinga Access"
   AuthUserFile /usr/local/icinga/etc/.digest_pw
   Require valid-user
&lt;/Directory&gt;
## END APACHE CONFIG SNIPPETS</pre>

  <p>Then, restart the Apache service so the new settings can take
  effect.</p>

  <pre class="screen"> /etc/init.d/httpd restart</pre>

  <p><a name="cgisecurity.xml-implementation-ssl"></a> <span class="bold"><strong>Implementing Forced TLS/SSL</strong></span></p>

  <p>Make sure you've installed Apache and OpenSSL. By default you should
  have <a class="link" href="http://httpd.apache.org/docs/2.2/mod/mod_ssl" target="_top">mod_ssl</a>
  support if you are still having trouble you may find help reading Apache's
  <a class="link" href="http://httpd.apache.org/docs/2.0/ssl" target="_top">TLS/SSL Encryption
  Documentation</a>.</p>

  <p>Next, verify that TLS/SSL support is working by visiting your
  Icinga Web Interface using HTTPS (https://your.domain/Icinga). If it
  is working you can continue on to the next steps that will force using HTTPS
  and block all HTTP requests for the Icinga Web Interface. If you are
  having trouble visit Apache's <a class="link" href="http://httpd.apache.org/docs/2.0/ssl" target="_top">TLS/SSL Encryption
  Documentation</a> and <a class="link" href="http://www.google.com" target="_top">Google</a> for troubleshooting your
  specific Apache installation.</p>

  <p>Next, edit the Apache configuration file for Icinga (typically
  /etc/httpd/conf.d/icinga.conf) by adding the 'SSLRequireSSL' directive to
  both the 'sbin' and 'share' directories.</p>

  <pre class="screen">## BEGIN APACHE CONFIG SNIPPET - ICINGA.CONF
ScriptAlias /icinga/cgi-bin "/usr/local/icinga/sbin"
&lt;Directory "/usr/local/icinga/sbin"&gt;
   ...
   SSLRequireSSL
   ...
&lt;/Directory&gt;

Alias /icinga "/usr/local/icinga/share"
&lt;Directory "/usr/local/icinga/share"&gt;
   ...
   SSLRequireSSL
   ...
&lt;/Directory&gt;
## END APACHE CONFIG SNIPPETS</pre>

  <p>Restart the Apache service so the new settings can take effect.</p>

  <pre class="screen"> /etc/init.d/httpd restart</pre>

  <p><a name="cgisecurity.xml-implementation-lockdown"></a> <span class="bold"><strong>Implementing IP subnet lockdown</strong></span></p>

  <p>The following example will show how to lock down Icinga CGIs to
  a specific IP address, IP address range, or IP subnet using Apache's <a class="link" href="http://httpd.apache.org/docs/2.2/howto/access" target="_top">access
  controls</a>.</p>

  <p>Edit the Apache configuration file for Icinga (typically
  /etc/httpd/conf.d/icinga.conf) by using the 'Allow', 'Deny', and 'Order'
  directives using the following as an example.</p>

  <pre class="screen">## BEGIN APACHE CONFIG SNIPPET - ICINGA.CONF
ScriptAlias /icinga/cgi-bin "/usr/local/icinga/sbin"
&lt;Directory "/usr/local/icinga/sbin"&gt;
   ...
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 127.0.0.1 10.0.0.25               # Allow single IP addresses
   Allow from 10.0.0.0/255.255.255.0            # Allow network/netmask pair
   Allow from 10.0.0.0/24                       # Allow network/nnn CIDR spec
   ...
&lt;/Directory&gt;

Alias /icinga "/usr/local/icinga/share"
&lt;Directory "/usr/local/icinga/share"&gt;
   ...
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 127.0.0.1 10.0.0.25               # Allow single IP addresses
   Allow from 10.0.0.0/255.255.255.0            # Allow network/netmask pair
   Allow from 10.0.0.0/24                       # Allow network/nnn CIDR spec
   ...
&lt;/Directory&gt;
## END APACHE CONFIG SNIPPET</pre>

  <p><a name="cgisecurity.xml-importantnotes"></a> <span class="bold"><strong>Important Notes</strong></span></p>

  <div class="itemizedlist"><ul class="itemizedlist" type="disc">
<li class="listitem">
      <p><span class="bold"><strong>Digest Authentication sends data in the
      clear but not your username and password</strong></span> .</p>
    </li>
<li class="listitem">
      <p><span class="bold"><strong>Digest Authentication is not as universally
      supported as Basic Authentication</strong></span> .</p>
    </li>
<li class="listitem">
      <p><span class="bold"><strong>TLS/SSL has potential for "man-in-the-middle
      attacks"</strong></span> . MITM attacks are vulnerable if an attacker is able
      to insert itself between the server and client such as in a Phishing
      attack, ISP monitoring, or corporate LAN firewall certificate resigning.
      So read up on certificate verification!</p>
    </li>
<li class="listitem">
      <p><span class="bold"><strong>Apache access controls only protect the
      HTTP/HTTPS protocols</strong></span> . Look into <a class="link" href="http://www.netfilter.org/projects/iptables/index" target="_top">IPtables</a>
      for strong system wide firewall control.</p>
    </li>
<li class="listitem">
      <p><span class="bold"><strong>Most importantly, Security is a moving
      target so stay informed and do research</strong></span> ! Perhaps by
      listening to a Podcast such as "<a class="link" href="http://www.grc.com/securitynow.htm" target="_top">Security
      Now!</a>".</p>
    </li>
</ul></div>

  <a class="indexterm" name="id2004775"></a>

  <a class="indexterm" name="id2004837"></a>

  <a class="indexterm" name="id2004851"></a>

  <a class="indexterm" name="id2004864"></a>

  <a class="indexterm" name="id2004878"></a>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="security.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="ch07.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="tuning.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">Security Considerations </td>
<td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td>
<td width="40%" align="right" valign="top"> Tuning Icinga For Maximum Performance</td>
</tr>
</table>
</div>
<P class="copyright">© 2009-2010 Icinga Development Team, http://www.icinga.org</P>
</body>
</html>