Introduction

This example explains how to easily generate alerts in Nagios for connection attempts that are rejected by TCP wrappers. These directions assume that the host which you are generating alerts for (i.e. the host you are using TCP wrappers on) is not the same host on which Nagios is running. If you want to generate alerts on the same host that Nagios is running you will need to make a few modifications to the examples I provide. Also, I am assuming that you having installed the nsca daemon on your monitoring server and the nsca client (send_nsca) on the machine that you are generating TCP wrapper alerts from.

Defining The Service

First off you're going to have to define a service in your object configuration file for the TCP wrapper alerts. Assuming that the host that the alerts are originating from is called firestorm, a sample service definition might look something like this:

define service{
	host_name                       firestorm
	service_description             TCP Wrappers
	is_volatile                     1
	active_checks_enabled		0
	passive_checks_enabled		1
	max_check_attempts              1
	contact_groups                  security-admins
	notification_interval           120
	notification_period             24x7
	notification_options            w,u,c,r
	check_command                   check_none
	}

Important things to note are the fact that this service has the volatile option enabled. We want this option enabled because we want a notification to be generated for every alert that comes in. Also of note is the fact that active checks of the service as disabled, while passive checks are enabled. This means that the service will never be actively checked - all alert information will have to be sent in passively by the nsca client on the firestorm host.

Configuring TCP Wrappers

Now you're going to have to modify the /etc/hosts.deny file on the host called firestorm. In order to have the TCP wrappers send an alert to the monitoring host whenever a connection attempt is denied, you'll have to add a line similiar to the following:

ALL: ALL: RFC931: twist (/usr/local/nagios/libexec/eventhandlers/handle_tcp_wrapper %h %d) &

This line assumes that there is a script called handle_tcp_wrapper in the /usr/local/nagios/libexec/eventhandlers/ directory on firestorm. The directory and script name can be changed to whatever you want.

Writing The Script

The last thing you need to do is write the handle_tcp_wrapper script on firestorm that will send the alert back to the monitoring host. It might look something like this:

#!/bin/sh

/usr/local/nagios/libexec/eventhandlers/submit_check_result firestorm "TCP Wrappers" 2 "Denied $2-$1" > /dev/null 2> /dev/null

Notice that the handle_tcp_wrapper script calls the submit_check_result script to actually send the alert back to the monitoring host. Assuming your monitoring host is called monitor, the submit check_result script might look like this (you'll have to modify this to specify the proper location of the send_nsca program on firestorm):

#!/bin/sh

# Arguments
#	$1 = name of host in service definition
#	$2 = name/description of service in service definition
#	$3 = return code
#	$4 = output

/bin/echo -e "$1\t$2\t$3\t$4\n" | /usr/local/nagios/bin/send_nsca monitor -c /usr/local/nagios/etc/send_nsca.cfg

Finishing Up

You've now configured everything you need to, so all you have to do is restart the inetd process on firestorm and restart Nagios on your monitoring server. That's it! When the TCP wrappers on firestorm deny a connection attempt, you should be getting alerts in Nagios. The plugin output for the alert will look something like the following:

Denied sshd2-sdn-ar-002mnminnP321.dialsprint.net