Question: When I execute check_nrpe command with some arguments, I get the message “CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.”. How do I fix this issue?
Answer: The issue is very straight forward. check_nrpe doesn’t take any arguments by default. You should enable the command line arguments for check_nrpe as shown below.
Verify the check_nrpe error message
Just for testing purpose, let us assume that you are execuing the following check_nrpe command that displays the “CHECK_NRPE: Received 0 bytes from daemon.” error message.
$ /usr/local/nagios/libexec/check_nrpe -H 192.168.1.20 -c check_disk -a 60 80 /dev/sdb1 CHECK_NRPE: Received 0 bytes from daemon. Check the remote server logs for error messages.
If you view the /var/log/messages on the remote host, (in the above example, that is 192.168.1.20), you’ll see the nrpe error “Error: Request contained command arguments!” as shown below, indicating that check_nrpe is not enabled to take the command arguments.
$ tail -f /var/log/messages Dec 5 11:11:52 dev-db xinetd: START: nrpe pid=24187 from=192.168.101.108 Dec 5 11:11:52 dev-db nrpe: Error: Request contained command arguments! Dec 5 11:11:52 dev-db nrpe: Client request was invalid, bailing out... Dec 5 11:11:52 dev-db xinetd: EXIT: nrpe status=0 pid=24187 duration=0(sec)
Enable check_nrpe command arguments
To enable command arguments in NRPE, you should do the following two things.
1. Configure NRPE with –enable-command-args
Typically when you install NRPE on the remote host, you’ll do ./configure without any arguments. To enable support for command arguments in the NRPE daemon, you should install it with –enable-command-args as shown below.
[remotehost]# tar xvfz nrpe-2.12.tar.gz [remotehost]# cd nrpe-2.12 [remotehost]# ./configure --enable-command-args [remotehost]# make all [remotehost]# make install-plugin [remotehost]# make install-daemon [remotehost]# make install-daemon-config [remotehost]# make install-xinetd
2. Modify nrpe.cfg and set dont_blame_nrpe
Modify the /usr/local/nagios/etc/nrpe.cfg on the remote server and set the dont_blame_nrpe directive to 1 as shown below.
$ /usr/local/nagios/etc/nrpe.cfg dont_blame_nrpe=1
Execute check_nrpe with command arguments
After the above two changes, if you execute the check_nrpe for this particular remote host, you’ll not see the error message anymore as shown below.
$ /usr/local/nagios/libexec/check_nrpe -H 192.168.1.20 -c check_disk -a 60 80 /dev/sdb1 DISK OK - free space: / 111199 MB (92% inode=99%);| /=9319MB;101662;114370;0;127078
Enabling NRPE command line arguments is a security risk. If you don’t know what you are doing, don’t enable this.
Probably by now you’ve already figured out that you can’t blame NRPE if something goes wrong. After all you did set dont_blame_nrpe to 1.
Imagine you have this command in your nrpe.cfg file:
command[check_disk]=/usr/local/nagios/libexec/chec_disk -p $ARG1$
and you want to pass "/usr" as the parameter to check the disk space available to the /usr directory.
Now, imagine some rogue has discovered you're running NRPE on your server, connects to it, and sends the command check_disk with "/usr && rm -rf /" as the argument.
NRPE will pass out to the shell the command "/usr/local/nagios/libexec/chec_disk -p /usr && rm -rf /" which will cause it to run the plugin, then erase the entire contents of your server's file system.
To be fair, I think it's only a risk if your server is wide open in other ways, such as:
- NRPE allowing any host to connect to it
- No firewall restrictions
- sudo security really permissive
etc. So if you know that only your Nagios server can connect to Nagios (restricted by firewalls and allowed_hosts in nrpe.cfg) I think, with a bit of extra attention paid to command definitions, you'll be OK. But that's just my opinion.