«
»

Nagios: How to check a host, that for security reasons has ping disabled

A good organization will not enable security servers to respond to a ping. This is to prevent someone from sniffing them out on your network, since they generally sit outside your firewall. Nagios can be configured to take this issue into consideration if you use a bit of ingenuity and thought.

First you will need to create a separate host configuration file for all these servers. Within the attributes section of the new configuration file, you want to change the check_command to check_nrpe!check_ping_locally.

Next you will need to add a new contact, contact group, host group and service. The easiest way to create a new service is by copying the default check-host service and changing the command_name to check_nrpe!! . Reload Nagios to insure you have all the configurations correct.

Now, place the command within the nrpe.cfg file on the client. The exception is that for the “-H” attribute you want to use a ping-back address. You want to run the command locally so you can verify the output.

Now you have the ability to check a host that has PING response disabled. Hope that helps and please visit our sponsors.

Mike Kniaziewicz, MIS

This entry was posted on Thursday, October 29th, 2009 at 4:14 pm and is filed under Nagios. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Responses to “Nagios: How to check a host, that for security reasons has ping disabled”

  1. Winsolin says:
    November 25, 2009 at 5:23 am

    Hi,
    Which file we have to create and do the configuration, file name pls? (create a separate host configuration file). could u pls explain in detail.
    winsolin.

  2. Mike Kniaziewicz says:
    November 26, 2009 at 8:58 am

    No problem. Here is more details on how to set up a ping command for hosts, that for security reasons, do not allow an external ping.

    On your Nagios host set up the following files:
    cmd_ping.cfg

    define command{
    command_name check-host-alive-locally
    command_line $USER1$/check_ping -H $HOSTADDRESS$ -w 99,99% -c 100,100% -p 1
    }

    srv_check_ping.cfg This is the service definition

    define service{
    use generic-service ; Name of servic
    e template to use
    hostgroups security-team
    service_description Check Host Alive Locally
    is_volatile 0
    check_period 24×7
    max_check_attempts 3
    normal_check_interval 15
    retry_check_interval 1
    contact_groups security-team
    notification_interval 15
    notification_period 24×7
    check_command check_nrpe!check_host_alive_locally
    }

    You will need to ensure the contact group security-team is set up appropriately.

    On the client using NRPE you want to set up the following in the nrpe.cfg file:

    command[check_host_alive_locally]=/opt/nagios/libexec/check_ping -H 127.0.0.1 -w 100.0,20% -c 540.0,60%

    That should do it. If you have any other questions please feel free to ask.