NRPEServer

`NRPEServer` — NRPEServer¶

A server that listens for incoming NRPE connection and processes incoming requests.

Commands (Overview):

TODO: Add a list of all external commands (this is not check commands)

Configuration (Overview):

Common Keys:

Path / Section	Key	Description
`/settings/default`	`allowed hosts`	ALLOWED HOSTS
`/settings/default`	`bind to`	BIND TO ADDRESS
`/settings/default`	`cache allowed hosts`	CACHE ALLOWED HOSTS
`/settings/default`	`inbox`	INBOX
`/settings/default`	`password`	PASSWORD
`/settings/default`	`timeout`	TIMEOUT
`/settings/NRPE/server`	`allow arguments`	COMMAND ARGUMENT PROCESSING
`/settings/NRPE/server`	`allow nasty characters`	COMMAND ALLOW NASTY META CHARS
`/settings/NRPE/server`	`extended response`	EXTENDED RESPONSE
`/settings/NRPE/server`	`insecure`	ALLOW INSECURE CHIPHERS and ENCRYPTION
`/settings/NRPE/server`	`port`	PORT NUMBER
`/settings/NRPE/server`	`use ssl`	ENABLE SSL ENCRYPTION

Advanced keys:

Path / Section	Key	Default Value
`/settings/default`	`encoding`	NRPE PAYLOAD ENCODING
`/settings/default`	`socket queue size`	LISTEN QUEUE
`/settings/default`	`thread pool`	THREAD POOL
`/settings/NRPE/server`	`allowed ciphers`	ALLOWED CIPHERS
`/settings/NRPE/server`	`allowed hosts`	ALLOWED HOSTS
`/settings/NRPE/server`	`bind to`	BIND TO ADDRESS
`/settings/NRPE/server`	`ca`	CA
`/settings/NRPE/server`	`cache allowed hosts`	CACHE ALLOWED HOSTS
`/settings/NRPE/server`	`certificate`	SSL CERTIFICATE
`/settings/NRPE/server`	`certificate format`	CERTIFICATE FORMAT
`/settings/NRPE/server`	`certificate key`	SSL CERTIFICATE
`/settings/NRPE/server`	`dh`	DH KEY
`/settings/NRPE/server`	`encoding`	NRPE PAYLOAD ENCODING
`/settings/NRPE/server`	`payload length`	PAYLOAD LENGTH
`/settings/NRPE/server`	`performance data`	PERFORMANCE DATA
`/settings/NRPE/server`	`socket queue size`	LISTEN QUEUE
`/settings/NRPE/server`	`ssl options`	VERIFY MODE
`/settings/NRPE/server`	`thread pool`	THREAD POOL
`/settings/NRPE/server`	`timeout`	TIMEOUT
`/settings/NRPE/server`	`verify mode`	VERIFY MODE

… default¶

/settings/default (NRPEServer)¶

Key	Default Value	Description
`allowed hosts`	127.0.0.1	ALLOWED HOSTS
`bind to`		BIND TO ADDRESS
`cache allowed hosts`	1	CACHE ALLOWED HOSTS
`encoding`		NRPE PAYLOAD ENCODING
`inbox`	inbox	INBOX
`password`		PASSWORD
`socket queue size`	0	LISTEN QUEUE
`thread pool`	10	THREAD POOL
`timeout`	30	TIMEOUT

Sample:

#
#
[/settings/default]
allowed hosts=127.0.0.1
bind to=
cache allowed hosts=1
encoding=
inbox=inbox
password=
socket queue size=0
thread pool=10
timeout=30

allowed hosts (NRPEServer, /settings/default)¶

ALLOWED HOSTS

A comaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.

Path: /settings/default

Key: allowed hosts

Default value: 127.0.0.1

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# ALLOWED HOSTS
allowed hosts=127.0.0.1

bind to (NRPEServer, /settings/default)¶

BIND TO ADDRESS

Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses.

Path: /settings/default

Key: bind to

Default value:

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# BIND TO ADDRESS
bind to=

cache allowed hosts (NRPEServer, /settings/default)¶

CACHE ALLOWED HOSTS

If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server.

Path: /settings/default

Key: cache allowed hosts

Default value: 1

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# CACHE ALLOWED HOSTS
cache allowed hosts=1

encoding (NRPEServer, /settings/default)¶

NRPE PAYLOAD ENCODING

Advanced (means it is not commonly used)

Path: /settings/default

Key: encoding

Default value:

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# NRPE PAYLOAD ENCODING
encoding=

inbox (NRPEServer, /settings/default)¶

INBOX

The default channel to post incoming messages on

Path: /settings/default

Key: inbox

Default value: inbox

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# INBOX
inbox=inbox

password (NRPEServer, /settings/default)¶

PASSWORD

Password used to authenticate against server

Path: /settings/default

Key: password

Default value:

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# PASSWORD
password=

socket queue size (NRPEServer, /settings/default)¶

LISTEN QUEUE

Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts.

Advanced (means it is not commonly used)

Path: /settings/default

Key: socket queue size

Default value: 0

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# LISTEN QUEUE
socket queue size=0

thread pool (NRPEServer, /settings/default)¶

THREAD POOL

Advanced (means it is not commonly used)

Path: /settings/default

Key: thread pool

Default value: 10

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# THREAD POOL
thread pool=10

timeout (NRPEServer, /settings/default)¶

TIMEOUT

Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out.

Path: /settings/default

Key: timeout

Default value: 30

Used by: CheckMKServer, NRPEServer, NSCAServer, NSClientServer, WEBServer

Sample:

[/settings/default]
# TIMEOUT
timeout=30

… NRPE / server¶

/settings/NRPE/server (NRPEServer)¶

NRPE SERVER SECTION

Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options.

Key Default Value Description

allow arguments 0 COMMAND ARGUMENT PROCESSING

allow nasty characters 0 COMMAND ALLOW NASTY META CHARS

allowed ciphers ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH ALLOWED CIPHERS

allowed hosts 127.0.0.1 ALLOWED HOSTS

bind to BIND TO ADDRESS

ca ${certificate-path}/ca.pem CA

cache allowed hosts 1 CACHE ALLOWED HOSTS

certificate ${certificate-path}/certificate.pem SSL CERTIFICATE

certificate format PEM CERTIFICATE FORMAT

certificate key SSL CERTIFICATE

dh ${certificate-path}/nrpe_dh_512.pem DH KEY

encoding NRPE PAYLOAD ENCODING

extended response 1 EXTENDED RESPONSE

insecure 0 ALLOW INSECURE CHIPHERS and ENCRYPTION

payload length 1024 PAYLOAD LENGTH

performance data 1 PERFORMANCE DATA

port 5666 PORT NUMBER

socket queue size 0 LISTEN QUEUE

ssl options VERIFY MODE

thread pool 10 THREAD POOL

timeout 30 TIMEOUT

use ssl 1 ENABLE SSL ENCRYPTION

verify mode none VERIFY MODE

Sample:
# NRPE SERVER SECTION
# Section for NRPE (NRPEServer.dll) (check_nrpe) protocol options.
[/settings/NRPE/server]
allow arguments=0
allow nasty characters=0
allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed hosts=127.0.0.1
bind to=
ca=${certificate-path}/ca.pem
cache allowed hosts=1
certificate=${certificate-path}/certificate.pem
certificate format=PEM
certificate key=
dh=${certificate-path}/nrpe_dh_512.pem
encoding=
extended response=1
insecure=0
payload length=1024
performance data=1
port=5666
socket queue size=0
ssl options=
thread pool=10
timeout=30
use ssl=1
verify mode=none
allow arguments (NRPEServer, /settings/NRPE/server)¶
COMMAND ARGUMENT PROCESSING

This option determines whether or not the we will allow clients to specify arguments to commands that are executed.

Path: /settings/NRPE/server

Key: allow arguments

Default value: 0

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# COMMAND ARGUMENT PROCESSING
allow arguments=0
allow nasty characters (NRPEServer, /settings/NRPE/server)¶
COMMAND ALLOW NASTY META CHARS

This option determines whether or not the we will allow clients to specify nasty (as in |`&><’”\[]{}) characters in arguments.

Path: /settings/NRPE/server

Key: allow nasty characters

Default value: 0

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# COMMAND ALLOW NASTY META CHARS
allow nasty characters=0
allowed ciphers (NRPEServer, /settings/NRPE/server)¶
ALLOWED CIPHERS

The chipers which are allowed to be used.

The default here will differ is used in “insecure” mode or not. check_nrpe uses a very old chipers and should preferably not be used. For details of chipers please see the OPEN ssl documentation: https://www.openssl.org/docs/apps/ciphers.html

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: allowed ciphers

Default value: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# ALLOWED CIPHERS
allowed ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
allowed hosts (NRPEServer, /settings/NRPE/server)¶
ALLOWED HOSTS

A comaseparated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: allowed hosts

Default value: 127.0.0.1

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# ALLOWED HOSTS
allowed hosts=127.0.0.1
bind to (NRPEServer, /settings/NRPE/server)¶
BIND TO ADDRESS

Allows you to bind server to a specific local address. This has to be a dotted ip address not a host name. Leaving this blank will bind to all available IP addresses. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: bind to

Default value:

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# BIND TO ADDRESS
bind to=
ca (NRPEServer, /settings/NRPE/server)¶
CA

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: ca

Default value: ${certificate-path}/ca.pem

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# CA
ca=${certificate-path}/ca.pem
cache allowed hosts (NRPEServer, /settings/NRPE/server)¶
CACHE ALLOWED HOSTS

If host names (DNS entries) should be cached, improves speed and security somewhat but won’t allow you to have dynamic IPs for your Nagios server. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: cache allowed hosts

Default value: 1

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# CACHE ALLOWED HOSTS
cache allowed hosts=1
certificate (NRPEServer, /settings/NRPE/server)¶
SSL CERTIFICATE

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: certificate

Default value: ${certificate-path}/certificate.pem

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# SSL CERTIFICATE
certificate=${certificate-path}/certificate.pem
certificate format (NRPEServer, /settings/NRPE/server)¶
CERTIFICATE FORMAT

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: certificate format

Default value: PEM

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# CERTIFICATE FORMAT
certificate format=PEM
certificate key (NRPEServer, /settings/NRPE/server)¶
SSL CERTIFICATE

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: certificate key

Default value:

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# SSL CERTIFICATE
certificate key=
dh (NRPEServer, /settings/NRPE/server)¶
DH KEY

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: dh

Default value: ${certificate-path}/nrpe_dh_512.pem

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# DH KEY
dh=${certificate-path}/nrpe_dh_512.pem
encoding (NRPEServer, /settings/NRPE/server)¶
NRPE PAYLOAD ENCODING

parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: encoding

Default value:

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# NRPE PAYLOAD ENCODING
encoding=
extended response (NRPEServer, /settings/NRPE/server)¶
EXTENDED RESPONSE

Send more then 1 return packet to allow response to go beyond payload size (requires modified client if legacy is true this defaults to false).

Path: /settings/NRPE/server

Key: extended response

Default value: 1

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# EXTENDED RESPONSE
extended response=1
insecure (NRPEServer, /settings/NRPE/server)¶
ALLOW INSECURE CHIPHERS and ENCRYPTION

Only enable this if you are using legacy check_nrpe client.

Path: /settings/NRPE/server

Key: insecure

Default value: 0

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# ALLOW INSECURE CHIPHERS and ENCRYPTION
insecure=0
payload length (NRPEServer, /settings/NRPE/server)¶
PAYLOAD LENGTH

Length of payload to/from the NRPE agent. This is a hard specific value so you have to “configure” (read recompile) your NRPE agent to use the same value for it to work.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: payload length

Default value: 1024

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# PAYLOAD LENGTH
payload length=1024
performance data (NRPEServer, /settings/NRPE/server)¶
PERFORMANCE DATA

Send performance data back to nagios (set this to 0 to remove all performance data).

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: performance data

Default value: 1

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# PERFORMANCE DATA
performance data=1
port (NRPEServer, /settings/NRPE/server)¶
PORT NUMBER

Port to use for NRPE.

Path: /settings/NRPE/server

Key: port

Default value: 5666

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# PORT NUMBER
port=5666
socket queue size (NRPEServer, /settings/NRPE/server)¶
LISTEN QUEUE

Number of sockets to queue before starting to refuse new incoming connections. This can be used to tweak the amount of simultaneous sockets that the server accepts. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: socket queue size

Default value: 0

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# LISTEN QUEUE
socket queue size=0
ssl options (NRPEServer, /settings/NRPE/server)¶
VERIFY MODE

Comma separated list of verification flags to set on the SSL socket.

default-workarounds Various workarounds for what I understand to be broken ssl implementations

no-sslv2 Do not use the SSLv2 protocol.

no-sslv3 Do not use the SSLv3 protocol.

no-tlsv1 Do not use the TLSv1 protocol.

single-dh-use Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using “strong” primes (e.g. when using DSA-parameters).

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: ssl options

Default value:

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# VERIFY MODE
ssl options=
thread pool (NRPEServer, /settings/NRPE/server)¶
THREAD POOL

parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: thread pool

Default value: 10

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# THREAD POOL
thread pool=10
timeout (NRPEServer, /settings/NRPE/server)¶
TIMEOUT

Timeout when reading packets on incoming sockets. If the data has not arrived within this time we will bail out. parent for this key is found under: /settings/default this is marked as advanced in favor of the parent.

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: timeout

Default value: 30

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# TIMEOUT
timeout=30
use ssl (NRPEServer, /settings/NRPE/server)¶
ENABLE SSL ENCRYPTION

This option controls if SSL should be enabled.

Path: /settings/NRPE/server

Key: use ssl

Default value: 1

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# ENABLE SSL ENCRYPTION
use ssl=1
verify mode (NRPEServer, /settings/NRPE/server)¶
VERIFY MODE

Comma separated list of verification flags to set on the SSL socket.

none The server will not send a client certificate request to the client, so the client will not send a certificate.

peer The server sends a client certificate request to the client and the certificate returned (if any) is checked.

fail-if-no-cert if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer.

peer-cert Alias for peer and fail-if-no-cert.

workarounds Various bug workarounds.

single Always create a new key when using tmp_dh parameters.

client-once Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer

Advanced (means it is not commonly used)

Path: /settings/NRPE/server

Key: verify mode

Default value: none

Used by: NRPEServer

Sample:
[/settings/NRPE/server]
# VERIFY MODE
verify mode=none

comments powered by Disqus

`NRPEServer` — NRPEServer¶

… default¶

… NRPE / server¶

Table Of Contents

Previous topic

Next topic

This Page

default-workarounds	Various workarounds for what I understand to be broken ssl implementations
no-sslv2	Do not use the SSLv2 protocol.
no-sslv3	Do not use the SSLv3 protocol.
no-tlsv1	Do not use the TLSv1 protocol.
single-dh-use	Always create a new key when using temporary/ephemeral DH parameters. This option must be used to prevent small subgroup attacks, when the DH parameters were not generated using “strong” primes (e.g. when using DSA-parameters).

none	The server will not send a client certificate request to the client, so the client will not send a certificate.
peer	The server sends a client certificate request to the client and the certificate returned (if any) is checked.
fail-if-no-cert	if the client did not return a certificate, the TLS/SSL handshake is immediately terminated. This flag must be used together with peer.
peer-cert	Alias for peer and fail-if-no-cert.
workarounds	Various bug workarounds.
single	Always create a new key when using tmp_dh parameters.
client-once	Only request a client certificate on the initial TLS/SSL handshake. This flag must be used together with verify-peer

NRPEServer — NRPEServer¶

… default¶

… NRPE / server¶

`NRPEServer` — NRPEServer¶