OpenITCOCKPIT is a monitoring solution based on Nagios and Icinga, providing a modern web interface and advanced features. As a system with privileged access to infrastructure monitoring and configuration, proper security hardening is essential. This guide covers security measures for production OpenITCOCKPIT deployments.
OpenITCOCKPIT architecture includes these security-sensitive components:
Key security concerns include web interface protection, API access control, agent security, database protection, and preventing unauthorized monitoring changes.
Configure firewall rules for OpenITCOCKPIT:
# OpenITCOCKPIT Web Interface (Nginx/Apache)
ufw allow from 10.0.0.0/8 to any port 80 proto tcp
ufw allow from 10.0.0.0/8 to any port 443 proto tcp
# Monitoring agents
ufw allow from 10.0.1.0/24 to any port 5666 proto tcp # NRPE
ufw allow from 10.0.1.0/24 to any port 5667 proto tcp # NSCA
# MySQL (restrict to localhost)
ufw allow from 127.0.0.1 to any port 3306 proto tcp
# Block external access
ufw deny from any to any port 5666 proto tcp
ufw deny from any to any port 5667 proto tcp
ufw deny from any to any port 3306 proto tcp
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: openitcockpit-network-policy
spec:
podSelector:
matchLabels:
app: openitcockpit
ingress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
Configure web server binding:
# /etc/nginx/sites-available/openitcockpit
server {
listen 10.0.1.100:443 ssl http2;
server_name openitcockpit.company.com;
root /var/www/html/openitcockpit;
ssl_certificate /etc/nginx/certs/openitcockpit.crt;
ssl_certificate_key /etc/nginx/certs/openitcockpit.key;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
Configure OpenITCOCKPIT authentication:
// /var/www/html/openitcockpit/app/Config/config.php
// Authentication settings
$config['Auth'] = [
'sessionTimeout' => 3600,
'sessionSecure' => true,
'sessionHttpOnly' => true,
];
// Password policy
$config['Password'] = [
'minLength' => 12,
'requireUppercase' => true,
'requireLowercase' => true,
'requireNumbers' => true,
'requireSpecialChars' => true,
];
Configure user roles:
User Roles:
- Administrator: Full system access
- Operator: Monitoring and alert management
- Viewer: Read-only access
- API User: API access only
# Configure in OpenITCOCKPIT UI:
# Administration → Users → Roles
Configure LDAP authentication:
// /var/www/html/openitcockpit/app/Config/config.php
$config['Ldap'] = [
'enabled' => true,
'server' => 'ldap.company.com',
'port' => 636,
'useSsl' => true,
'bindDn' => 'cn=openitcockpit,ou=services,dc=company,dc=com',
'bindPassword' => '${LDAP_PASSWORD}',
'baseDn' => 'dc=company,dc=com',
'filter' => '(objectClass=inetOrgPerson)',
'uidAttribute' => 'uid',
'groupAttribute' => 'memberOf',
];
Configure AD authentication:
// /var/www/html/openitcockpit/app/Config/config.php
$config['ActiveDirectory'] = [
'enabled' => true,
'domain' => 'company.com',
'server' => 'dc.company.com',
'port' => 636,
'useSsl' => true,
'bindDn' => 'cn=openitcockpit,ou=services,dc=company,dc=com',
'bindPassword' => '${AD_PASSWORD}',
'baseDn' => 'dc=company,dc=com',
'filter' => '(&(objectClass=user)(objectCategory=person))',
'uidAttribute' => 'sAMAccountName',
];
Enable two-factor authentication:
// /var/www/html/openitcockpit/app/Config/config.php
$config['TwoFactorAuth'] = [
'enabled' => true,
'mandatory' => true, // For admin users
'mandatoryRoles' => ['Administrator'],
'totpIssuer' => 'OpenITCOCKPIT',
];
Configure HTTPS:
# /etc/nginx/sites-available/openitcockpit
server {
listen 443 ssl http2;
server_name openitcockpit.company.com;
root /var/www/html/openitcockpit;
ssl_certificate /etc/nginx/certs/openitcockpit.crt;
ssl_certificate_key /etc/nginx/certs/openitcockpit.key;
ssl_trusted_certificate /etc/nginx/certs/ca-bundle.crt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src * data:; font-src 'self' data:; connect-src 'self'" always;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
Configure TLS for agent communication:
# /etc/nagios/nrpe.cfg
ssl_enabled=1
ssl_cert=/etc/nagios/ssl/nrpe.crt
ssl_key=/etc/nagios/ssl/nrpe.key
ssl_ca_cert=/etc/nagios/ssl/ca.crt
ssl_cipher_list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
ssl_client_cert_verify=1
Configure TLS for MySQL:
// /var/www/html/openitcockpit/app/Config/database.php
class DATABASE_CONFIG {
public $default = [
'datasource' => 'Database/Mysql',
'host' => 'localhost',
'port' => 3306,
'login' => 'openitcockpit',
'password' => '${DB_PASSWORD}',
'database' => 'openitcockpit',
'encoding' => 'utf8',
'ssl_key' => '/etc/mysql/client.key',
'ssl_cert' => '/etc/mysql/client.crt',
'ssl_ca' => '/etc/mysql/ca.crt',
'ssl_verify' => true,
];
}
Secure OpenITCOCKPIT API:
| Endpoint | Risk Level | Access Control |
|---|---|---|
GET /api/status |
Low | Authenticated users |
GET /api/hosts |
Low | Authenticated users |
POST /api/hosts |
High | Admin only |
PUT /api/hosts/{id} |
High | Admin only |
DELETE /api/hosts/{id} |
Critical | Admin only |
POST /api/commands |
Critical | Admin only |
Implement API authentication:
# Generate API token
# In OpenITCOCKPIT UI: Administration → Users → API Keys
# Use token
curl -H "X-Auth-Token: ${API_TOKEN}" \
https://openitcockpit.company.com/api/status
Secure PHP application:
# /etc/php/8.1/fpm/php.ini
expose_php = Off
display_errors = Off
log_errors = On
error_log = /var/log/php/error.log
session.cookie_secure = 1
session.cookie_httponly = 1
session.cookie_samesite = Strict
session.use_strict_mode = 1
# Disable dangerous functions
disable_functions = exec,passthru,shell_exec,system,proc_open,popen
Restrict command execution:
# /etc/nagios/nagios.cfg
# Enable external commands
check_external_commands=1
command_check_interval=15s
command_file=/var/cache/nagios/rw/nagios.cmd
# Secure command file
# chown nagios:www-data /var/cache/nagios/rw/nagios.cmd
# chmod 660 /var/cache/nagios/rw/nagios.cmd
Secure event handlers:
# /etc/nagios/objects/commands.cfg
define command {
command_name notify-service-by-email
command_line /usr/bin/printf "%b" "Service Alert" | /usr/bin/mail -s "Alert" ${CONTACT_EMAIL}
}
# Use wrapper scripts for complex handlers
define command {
command_name secure-restart-service
command_line /usr/local/bin/safe-restart.sh $ARG1$
}
Secure OpenITCOCKPIT database:
-- Create dedicated database user
CREATE USER 'openitcockpit'@'localhost' IDENTIFIED BY 'strong_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON openitcockpit.* TO 'openitcockpit'@'localhost';
GRANT CREATE TEMPORARY TABLES ON openitcockpit.* TO 'openitcockpit'@'localhost';
FLUSH PRIVILEGES;
-- Enable SSL requirement
ALTER USER 'openitcockpit'@'localhost' REQUIRE SSL;
Implement database encryption:
-- Enable TDE (MySQL Enterprise)
ALTER TABLE hosts ENCRYPTION='Y';
ALTER TABLE services ENCRYPTION='Y';
ALTER TABLE users ENCRYPTION='Y';
Secure data directory:
# Set restrictive permissions
chown -R www-data:www-data /var/www/html/openitcockpit/app/tmp
chmod -R 750 /var/www/html/openitcockpit/app/tmp
Secure sensitive configuration:
// /var/www/html/openitcockpit/app/Config/config.php
// Use environment variables
$config['Database']['password'] = getenv('OIC_DB_PASSWORD');
$config['Ldap']['bindPassword'] = getenv('OIC_LDAP_PASSWORD');
// Or use external secrets file
if (file_exists('/etc/openitcockpit/secrets.php')) {
include '/etc/openitcockpit/secrets.php';
}
Protect secrets file:
# Set restrictive permissions
chown root:www-data /etc/openitcockpit/secrets.php
chmod 640 /etc/openitcockpit/secrets.php
Secure OpenITCOCKPIT backups:
#!/bin/bash
# Secure backup script
BACKUP_DIR="/secure/backups/openitcockpit"
DATE=$(date +%Y%m%d)
# Database backup
mysqldump openitcockpit > ${BACKUP_DIR}/oic-db-${DATE}.sql
# Configuration backup
tar -czf ${BACKUP_DIR}/oic-config-${DATE}.tar.gz /etc/nagios/ /etc/openitcockpit/
# Encrypt backups
gpg -e --recipient security@company.com ${BACKUP_DIR}/oic-db-${DATE}.sql
gpg -e --recipient security@company.com ${BACKUP_DIR}/oic-config-${DATE}.tar.gz
# Set restrictive permissions
chmod 600 ${BACKUP_DIR}/oic-*.gpg
Enable logging:
// /var/www/html/openitcockpit/app/Config/config.php
$config['Log'] = [
'enabled' => true,
'level' => 'INFO',
'file' => '/var/log/openitcockpit/openitcockpit.log',
'audit' => [
'enabled' => true,
'file' => '/var/log/openitcockpit/audit.log',
],
];
Configure web server access logging:
# /etc/nginx/sites-available/openitcockpit
access_log /var/log/nginx/openitcockpit_access.log combined;
error_log /var/log/nginx/openitcockpit_error.log warn;
Monitor for security events:
#!/bin/bash
# /usr/local/bin/check-oic-security.sh
# Check for failed login attempts
FAILED_LOGINS=$(grep -c "Failed login" /var/log/openitcockpit/openitcockpit.log 2>/dev/null || echo 0)
if [ "$FAILED_LOGINS" -gt 10 ]; then
echo "CRITICAL: Multiple failed login attempts"
exit 2
fi
# Check for configuration changes
CONFIG_CHANGES=$(grep -c "Configuration changed" /var/log/openitcockpit/audit.log 2>/dev/null || echo 0)
if [ "$CONFIG_CHANGES" -gt 20 ]; then
echo "WARNING: High number of configuration changes"
exit 1
fi
Forward logs to SIEM:
# /etc/rsyslog.d/openitcockpit.conf
:programname, isequal, "openitcockpit" /var/log/openitcockpit/syslog.log
:programname, isequal, "openitcockpit" @siem.company.com:514