1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
|
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>8.2. Enhanced Classic UI Security and Authentication</title>
<link rel="stylesheet" href="../stylesheets/icinga-docs.css" type="text/css">
<meta name="generator" content="DocBook XSL Stylesheets V1.75.1">
<meta name="keywords" content="Supervision, Icinga, Nagios, Linux">
<link rel="home" href="index.html" title="Icinga Version 1.14 Documentation">
<link rel="up" href="ch08.html" title="Chapter 8. Security and Performance Tuning">
<link rel="prev" href="security.html" title="8.1. Security Considerations">
<link rel="next" href="tuning.html" title="8.3. Tuning Icinga For Maximum Performance">
<script src="../js/jquery-min.js" type="text/javascript"></script><script src="../js/icinga-docs.js" type="text/javascript"></script>
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<CENTER><IMG src="../images/logofullsize.png" border="0" alt="Icinga" title="Icinga"></CENTER>
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center">8.2. Enhanced Classic UI Security and Authentication</th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="security.html">Prev</a> </td>
<th width="60%" align="center">Chapter 8. Security and Performance Tuning</th>
<td width="20%" align="right"> <a accesskey="n" href="tuning.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="section" title="8.2. Enhanced Classic UI Security and Authentication">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="cgisecurity"></a>8.2. <a name="cgi_security"></a>Enhanced Classic UI Security and Authentication</h2></div></div></div>
<div class="toc"><dl>
<dt><span class="section">8.2.1. <a href="cgisecurity.html#introduction_cgisecurity">Introduction</a></span></dt>
<dt><span class="section">8.2.2. <a href="cgisecurity.html#additionaltechniques">Additional Techniques</a></span></dt>
<dt><span class="section">8.2.3. <a href="cgisecurity.html#implementationdigest">Implementing Digest Authentication</a></span></dt>
<dt><span class="section">8.2.4. <a href="cgisecurity.html#implementationssl">Implementing Forced TLS/SSL</a></span></dt>
<dt><span class="section">8.2.5. <a href="cgisecurity.html#implementationlockdown">Implementing IP subnet lockdown</a></span></dt>
<dt><span class="section">8.2.6. <a href="cgisecurity.html#importantnotes">Important Notes</a></span></dt>
</dl></div>
<div class="section" title="8.2.1. Introduction">
<div class="titlepage"><div><div><h3 class="title">
<a name="introduction_cgisecurity"></a>8.2.1. <a name="cgisecurity.xml-intro"></a>Introduction</h3></div></div></div>
<p><span class="inlinemediaobject"><img src="../images/security.png"></span></p>
<p>This is intended to be an introduction for implementation of stronger authentication and server security focused around the
Classic UI web interface.</p>
<p>There are many ways to enhance the security of your monitoring server and Icinga environment. This should not be taken as
the end all approach to security. Instead, think of it as an introduction to some of the techniques you can use to tighten the security
of your system. As always, you should do your own research and use the best techniques available. Treat your monitoring server as it
were the most important server in your network and you shall be rewarded.</p>
</div>
<div class="section" title="8.2.2. Additional Techniques">
<div class="titlepage"><div><div><h3 class="title">
<a name="additionaltechniques"></a>8.2.2. Additional Techniques</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
<li class="listitem">
<p><span class="bold"><strong>Stronger Authentication using Digest Authentication</strong></span> . If you have followed the <a class="link" href="quickstart.html" title="2.3. Quickstart Installation Guides">quickstart guides</a>, chances are that you are using Apache's <a class="link" href="http://httpd.apache.org/docs/2.2/mod/mod_auth_basic" target="_top">Basic Authentication</a>. Basic Authentication will send your
username and password in "clear text" with every http request. Consider using a more secure method of authentication such as <a class="link" href="http://httpd.apache.org/docs/2.2/mod/mod_auth_digest" target="_top">Digest Authentication</a> which creates a MD5 Hash of your
username and password to send with each request.</p>
</li>
<li class="listitem">
<p><span class="bold"><strong>Forcing TLS/SSL for all Web Communication</strong></span> . Apache provides <a class="link" href="http://en.wikipedia.org/wiki/Transport_Layer_Security" target="_top">TLS/SSL</a> through the <a class="link" href="http://httpd.apache.org/docs/2.2/mod/mod_ssl" target="_top">mod_ssl</a> module. TLS/SSL provides a secure tunnel between the client
and server that prevents eavesdropping and tampering using strong publickey/privatekey cryptography.</p>
</li>
<li class="listitem">
<p><span class="bold"><strong>Locking Down Apache Using Access Controls</strong></span> . Consider locking down access to the Icinga
box to your IP address, IP address range, or IP subnet. If you require access outside your network you could use VPN or SSH Tunnels.
This is a easy and strong to limit access to HTTP/HTTPS on your system.</p>
</li>
</ul></div>
</div>
<div class="section" title="8.2.3. Implementing Digest Authentication">
<div class="titlepage"><div><div><h3 class="title">
<a name="implementationdigest"></a>8.2.3. Implementing Digest Authentication</h3></div></div></div>
<p>The implementation of Digest Authentication is simple. You will have to create the new type of password file using the <a class="link" href="http://httpd.apache.org/docs/2.2/programs/htdigest" target="_top">'htdigest'</a> tool, then modify the Apache configuration for Icinga
(typically /etc/httpd/conf.d/icinga.conf).</p>
<p>Create a new passwords file using the <a class="link" href="http://httpd.apache.org/docs/2.2/programs/htdigest" target="_top">'htdigest'</a>
tool. The difference that you will notice if you are familiar with <a class="link" href="http://httpd.apache.org/docs/2.2/programs/htpasswd" target="_top">'htpasswd'</a> tools is the requirement to supply a 'realm' argument.
Where 'realm' in this case refers to the value of the 'AuthName' directive in the Apache configuration.</p>
<pre class="screen"> htdigest -c /usr/local/icinga/etc/.digest_pw "Icinga Access" icingaadmin</pre>
<p>Next, edit the Apache configuration file for Icinga (typically /etc/httpd/conf.d/icinga.conf) using the following
example.</p>
<pre class="programlisting">## BEGIN APACHE CONFIG SNIPPET - ICINGA.CONF
ScriptAlias /icinga/cgi-bin "/usr/local/icinga/sbin"
<Directory "/usr/local/icinga/sbin">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthType Digest
AuthName "Icinga Access"
AuthDigestFile /usr/local/icinga/etc/.digest_pw
Require valid-user
</Directory>
Alias /icinga "/usr/local/icinga/share"
<Directory "/usr/local/icinga/share">
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthType Digest
AuthName "Icinga Access"
AuthDigestFile /usr/local/icinga/etc/.digest_pw
Require valid-user
</Directory>
## END APACHE CONFIG SNIPPETS</pre>
<p>Then, restart the Apache service so the new settings can take effect.</p>
<pre class="screen"> /etc/init.d/httpd restart</pre>
</div>
<div class="section" title="8.2.4. Implementing Forced TLS/SSL">
<div class="titlepage"><div><div><h3 class="title">
<a name="implementationssl"></a>8.2.4. Implementing Forced TLS/SSL</h3></div></div></div>
<p>Make sure you've installed Apache and OpenSSL. By default you should have <a class="link" href="http://httpd.apache.org/docs/2.2/mod/mod_ssl" target="_top">mod_ssl</a> support if you are still having trouble you may find help
reading Apache's <a class="link" href="http://httpd.apache.org/docs/2.0/ssl" target="_top">TLS/SSL Encryption Documentation</a>.</p>
<p>Next, verify that TLS/SSL support is working by visiting your Icinga Web Interface using HTTPS
(https://your.domain/Icinga). If it is working you can continue on to the next steps that will force using HTTPS and block all HTTP
requests for the Icinga Web Interface. If you are having trouble visit Apache's <a class="link" href="http://httpd.apache.org/docs/2.0/ssl" target="_top">TLS/SSL Encryption Documentation</a> and <a class="link" href="http://www.google.com" target="_top">Google</a> for troubleshooting your specific Apache installation.</p>
<p>Next, edit the Apache configuration file for Icinga (typically /etc/httpd/conf.d/icinga.conf) by adding the 'SSLRequireSSL'
directive to both the 'sbin' and 'share' directories.</p>
<pre class="programlisting">## BEGIN APACHE CONFIG SNIPPET - ICINGA.CONF
ScriptAlias /icinga/cgi-bin "/usr/local/icinga/sbin"
<Directory "/usr/local/icinga/sbin">
...
SSLRequireSSL
...
</Directory>
Alias /icinga "/usr/local/icinga/share"
<Directory "/usr/local/icinga/share">
...
SSLRequireSSL
...
</Directory>
## END APACHE CONFIG SNIPPETS</pre>
<p>Restart the Apache service so the new settings can take effect.</p>
<pre class="screen"> /etc/init.d/httpd restart</pre>
</div>
<div class="section" title="8.2.5. Implementing IP subnet lockdown">
<div class="titlepage"><div><div><h3 class="title">
<a name="implementationlockdown"></a>8.2.5. Implementing IP subnet lockdown</h3></div></div></div>
<p>The following example will show how to lock down Icinga CGIs to a specific IP address, IP address range, or IP subnet using
Apache's <a class="link" href="http://httpd.apache.org/docs/2.2/howto/access" target="_top">access controls</a>.</p>
<p>Edit the Apache configuration file for Icinga (typically /etc/httpd/conf.d/icinga.conf) by using the 'Allow', 'Deny', and
'Order' directives using the following as an example.</p>
<pre class="programlisting">## BEGIN APACHE CONFIG SNIPPET - ICINGA.CONF
ScriptAlias /icinga/cgi-bin "/usr/local/icinga/sbin"
<Directory "/usr/local/icinga/sbin">
...
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1 10.0.0.25 # Allow single IP addresses
Allow from 10.0.0.0/255.255.255.0 # Allow network/netmask pair
Allow from 10.0.0.0/24 # Allow network/nnn CIDR spec
...
</Directory>
Alias /icinga "/usr/local/icinga/share"
<Directory "/usr/local/icinga/share">
...
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.1 10.0.0.25 # Allow single IP addresses
Allow from 10.0.0.0/255.255.255.0 # Allow network/netmask pair
Allow from 10.0.0.0/24 # Allow network/nnn CIDR spec
...
</Directory>
## END APACHE CONFIG SNIPPET</pre>
</div>
<div class="section" title="8.2.6. Important Notes">
<div class="titlepage"><div><div><h3 class="title">
<a name="importantnotes"></a>8.2.6. Important Notes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
<li class="listitem">
<p><span class="bold"><strong>Digest Authentication sends data in the clear but not your username and password</strong></span> .</p>
</li>
<li class="listitem">
<p><span class="bold"><strong>Digest Authentication is not as universally supported as Basic Authentication</strong></span> .</p>
</li>
<li class="listitem">
<p><span class="bold"><strong>TLS/SSL has potential for "man-in-the-middle attacks"</strong></span> . MITM attacks are vulnerable if an
attacker is able to insert itself between the server and client such as in a Phishing attack, ISP monitoring, or corporate LAN
firewall certificate resigning. So read up on certificate verification!</p>
</li>
<li class="listitem">
<p><span class="bold"><strong>Apache access controls only protect the HTTP/HTTPS protocols</strong></span> . Look into <a class="link" href="http://www.netfilter.org/projects/iptables/index" target="_top">IPtables</a> for strong system wide firewall control.</p>
</li>
<li class="listitem">
<p><span class="bold"><strong>Most importantly, Security is a moving target so stay informed and do research</strong></span> ! Perhaps by
listening to a Podcast such as "<a class="link" href="http://www.grc.com/securitynow.htm" target="_top">Security Now!</a>".</p>
</li>
</ul></div>
<a class="indexterm" name="idm140381623198944"></a>
<a class="indexterm" name="idm140381623197152"></a>
<a class="indexterm" name="idm140381623195600"></a>
<a class="indexterm" name="idm140381623193840"></a>
<a class="indexterm" name="idm140381623192352"></a>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="security.html">Prev</a> </td>
<td width="20%" align="center"><a accesskey="u" href="ch08.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="tuning.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">8.1. Security Considerations </td>
<td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td>
<td width="40%" align="right" valign="top"> 8.3. Tuning Icinga For Maximum Performance</td>
</tr>
</table>
</div>
<P class="copyright">© 1999-2009 Ethan Galstad, 2009-2017 Icinga Development Team, https://www.icinga.com</P>
</body>
</html>
|
