Centreon documentation

Centreon documentation

  • Documentation

›Secure your platform

Getting Started

  • Installation & first steps
  • Tutorials

    • Introduction
    • Create a custom view
    • Create a graphical view
    • Model your IT services
    • Analyze resources availability

Installation

  • Introduction
  • Prerequisites
  • Architectures
  • Download
  • Installation of a Central server

    • Using Centreon ISO
    • Using packages
    • Using virtual machines (VMs)
    • Using sources
  • Web And Post Installation
  • Installation of a Poller

    • Using Centreon ISO
    • Using packages

    Installation of a Remote server

    • Using Centreon ISO
    • Using packages
  • What is Centreon CEIP?

Secure your platform

  • Secure your platform
  • Secure your MAP platform

Monitoring

  • About Monitoring
  • Generic actions
  • Basic Objects

    • Macros
    • Commands
    • Time periods
    • Contacts
    • Hosts
    • Services
    • Meta Services
  • Templates
  • Plugin Packs
  • Monitoring Servers

    • Add a Poller to configuration
    • Add a Remote Server to configuration
    • Communications
    • Deploying a configuration
    • Advanced configuration
  • Groups & Categories
  • Passive Monitoring

    • Enable SNMP Traps
    • Create SNMP Traps definitions
    • Monitoring with SNMP Traps
    • Debug SNMP Traps management
    • Dynamic Service Management
  • Anomaly detection
  • Discovery

    • Introduction
    • Installation
    • Hosts Discovery
    • Services Discovery
    • Administration
  • Auto Remediation
  • Import/Export

Alerts & Notifications

  • Concepts
  • Resources Status
  • Events consoles
  • Manage alerts
  • Notification

    • Concept
    • Configuration
    • Dependencies
    • Escalation
    • Flapping
    • To go further
  • Ticketing
  • Event Logs

Performance graphs

  • Charts managment
  • Graph template
  • Curves
  • Virtual metrics

Service Mapping

  • Introduction to Centreon BAM
  • Guide

    • Manage Business Activities
    • Monitor Business Activities
    • Report Business Activities
    • Settings
    • Widgets

    Administrate

    • Install Centreon BAM extension
    • Update the extension
    • Upgrade the extension
    • Migrate the extension
    • Install on a Remote Server

Graphical views

  • Introduction to Centreon MAP
  • Guide

    • Create a standard view
    • Create a geo view
    • Display views
    • Share a view

    Administrate

    • Install Centreon MAP extension
    • Update the extension
    • Upgrade the extension
    • Migrate the extension
    • Configure
    • Install on a Remote server
    • Advanced configuration
    • Known issues
    • Troubleshooter

Reporting

  • Introduction to Centreon MBI
  • Guide

    • Generate reports
    • Available reports
    • Widgets
    • Configure
    • Concepts
    • Report development

    Administrate

    • Install Centreon MBI extension
    • Update the extension
    • Upgrade the extension
    • Migrate the extension
    • Backup & restore

Administration

    Parameters

    • Centreon UI
    • Monitoring
    • Gorgone
    • LDAP
    • RRDTool
    • Debug
    • Data management
    • Medias
  • Access Control Lists
  • Extensions
  • Database partitioning
  • Centreon HA

    • Architectures
    • Installing a Centreon HA 2-nodes cluster
    • Installing a Centreon HA 4-nodes cluster
    • Monitoring Centreon-HA
    • Operating guide
    • Updating Centreon-HA platform
    • Upgrade from Centreon-Failover to Centreon-HA
    • Troubleshooting guide
  • Backup
  • Knowledge Base
  • Logging configuration changes
  • Platform statistics

Update, Upgrade & Migrate

    Update

    • Update a Centreon 20.10 platform

    Upgrade

    • Introduction to upgrade
    • Upgrade from Centreon 20.04
    • Upgrade from Centreon 19.10
    • Upgrade from Centreon 19.04
    • Upgrade from Centreon 18.10
    • Upgrade from Centreon 3.4

    Migrate

    • Introduction
    • Migrate from a Centreon 20.x platform
    • Migrate from a Centreon 3.4 platform
    • Nagios Reader to Centreon CLAPI
    • Migrate a platform with Poller Display module

Plugin Packs

  • Introduction to Plugin Packs
  • Tutorials

    • Collect OpenMetrics

    Applications

    • 3CX
    • Active Directory API
    • ActiveMQ JMX
    • Alyvix Server
    • Ansible
    • Ansible Tower
    • Antivirus ClamAV
    • Apache Server
    • Asterisk VoIP Server
    • Asterisk VoIP SNMP
    • Bind9 Web
    • BlueMind SSH
    • Cassandra
    • Cisco CMS
    • Cisco ISE
    • Cisco SSMS
    • Commvault CommServe Rest API
    • DRBD SSH
    • Dynatrace Rest API
    • EMC PPMA Rest API
    • Exchange 2010 API
    • Github
    • Github
    • Google Gsuite
    • Haproxy SNMP
    • Hibernate
    • IBM Tivoli Storage M
    • Microsoft DHCP SNMP
    • Microsoft IIS Server Restapi
    • Microsoft IIS Server NSClient API (Deprecated)
    • JBoss Server
    • Jenkins
    • Kafka
    • Kaspersky
    • Keepalived SNMP
    • Lync 2013
    • Maltem Insight Rest API
    • IP-Label datametrie API
    • IP-Label Newtest Rest API
    • McAfee Web Gateway
    • Microsoft Cluster Se
    • Microsoft IIS Server NRPE (Deprecated)
    • Microsoft SCCM
    • Microsoft WSUS
    • MS Active Directory
    • MS Biztalk
    • Graylog
    • MS Exchange 2K10
    • BlueMind
    • Mulesoft Anypoint
    • Netbackup Rest API
    • Netdata RestAPI
    • Nginx Server
    • Nginx Plus Restapi
    • OpenHeadend
    • OpenLDAP
    • OpenMetrics
    • OpenVPN OMI
    • OpenWeatherMap
    • Oracle GoldenGate SSH
    • Oracle VM Manager API
    • Pacemaker
    • Peoplesoft
    • Pfsense Fauxapi
    • PHP APC
    • PHP FPM
    • PVX
    • Quadstor
    • RabbitMQ RestAPI
    • Rapid Recovery SNMP
    • Redis Cli
    • Redis Restapi
    • Rubrik Rest API
    • Rudder
    • Salesforce
    • SAP HANA
    • SCOM Rest API
    • Gorgone Restapi
    • Selenium
    • Sendmail
    • Skype 2015
    • Smartermail Server
    • Solr
    • Squid SNMP
    • Symantec Netbackup
    • Tomcat JMX
    • Tomcat Webmanager
    • TrendMicro Iwsva
    • Varnish NRPE
    • Veeam
    • Veeam API
    • VerneMQ Restapi
    • VMware VCSA RestAPI
    • VTOM
    • Wazuh Rest API
    • Weblogic Server
    • ZIXI
    • Zookeeper

    Centreon

    • Centreon Central
    • Centreon Database
    • Centreon-HA
    • Centreon Map
    • Centreon Map4
    • Centreon MBI
    • Centreon Poller

    Cloud

    • Amazon API Gateway
    • Amazon CloudFront
    • Amazon CloudWatch
    • Amazon CloudWatch Logs
    • Amazon EBS
    • Amazon EC2
    • Amazon ElastiCache
    • Amazon EFS
    • Amazon Kinesis
    • Amazon RDS
    • Amazon S3
    • Amazon SNS
    • Amazon SQS
    • AWS Billing
    • AWS ELB
    • AWS Health
    • AWS Lambda
    • AWS Transit Gateway
    • AWS VPN
    • Amazon SES
    • Azure App Configuration
    • Azure Automation
    • Azure App Service
    • Azure Elastic Pool
    • Azure Event Grid
    • Azure Event Hubs
    • Azure ExpressRoute
    • Azure Firewall
    • Azure Functions
    • Azure Front Door
    • Azure Key Vault
    • Azure Load Balancer
    • Azure Log Analytics
    • Azure Monitor
    • Azure Network Interface
    • Azure Public IP
    • Azure Recovery
    • Azure Resource
    • Azure ServiceBus
    • Azure SignalR
    • Azure SQL Database
    • Azure SQL Server
    • Azure Storage Account
    • Azure Virtual Machine
    • Azure Virtual Network
    • Azure VPN Gateway
    • Google CloudSQL MySQL
    • Google Compute Engine
    • Google Stackdriver
    • Google Storage
    • cAdvisor
    • Cloud Foundry
    • Docker
    • IBM Softlayer
    • Kubernetes API
    • Kubernetes w/ Prometheus
    • Office 365
    • Office365 Exchange
    • Office365 OneDrive
    • Office365 SharePoint
    • Office365 Skype
    • Office365 Teams
    • OVH
    • Prometheus Server
    • Node Exporter
    • VMware VeloCloud

    Database

    • CouchDB Rest API
    • Elasticsearch
    • Elasticsearch (Deprecated)
    • Firebird
    • InfluxDB
    • Informix DB
    • Informix DB SNMP
    • Microsoft SQL Server
    • MongoDB
    • MySQL/MariaDB
    • Oracle Database
    • PostgreSQL DB
    • RRDtool
    • Sybase
    • Warp10 Sensision

    Hardware Server

    • Adder AIM SNMP
    • AEG ACM
    • Avocent ACS 6000
    • Axis Video
    • Cisco Collaboration Endpoint Rest API
    • Cisco UCS
    • Dell CMC
    • Dell iDRAC
    • Dell OpenManage
    • Eltek eNexus SNMP
    • Fujitsu Server SNMP
    • Hanwha camera SNMP
    • Hikvision camera SNMP
    • HMS Ewon SNMP
    • Timelinkmicro Tms6001
    • HP Blade Chassis
    • HP Ilo Rest API
    • HP Ilo XMLAPI
    • HP OneView Rest API
    • HP Proliant
    • Huawei HMM
    • Huawei iBMC
    • IBM BladeCenter
    • IBM HMC SSH
    • IBM IMM
    • Lenovo XCC SNMP
    • Cisco Telepresence System SNMP
    • Masterclock NTP100GP
    • Pexip Infinity ManagementAPI
    • Polycom GroupSeries SNMP
    • Polycom Trio Rest API
    • Safenet Keysecure
    • Sun MgmtCard
    • Sun Mseries
    • Sun SFxxK
    • Supermicro

    Network

    • 3com Network
    • A10 AX
    • Acme Packet SNMP
    • Adva FSP 150 SNMP
    • Adva FSP 3000 SNMP
    • Aerohive
    • Alcatel Omniswitch
    • Allied Telesis SNMP
    • Alvarion BreezeACCESS SNMP
    • Arista Switch
    • Arkoon
    • Aruba Instant SNMP
    • Aruba Standard
    • Atrica Routeur
    • Athonet ePC SNMP
    • Atto Fibrebridge SNMP
    • Barracuda Cloudgen SNMP
    • Bee Ware
    • BGP Protocol SNMP
    • Bluecoat generic
    • Brocade Switch
    • CheckPoint firewall
    • Cisco Apic
    • Cisco ASA
    • Cisco Call Manager
    • Cisco Callmanager SXML
    • Cisco ESA XMLAPI
    • Cisco Firepower Management Console Rest API
    • Cisco Firepower SNMP
    • Cisco IronPort
    • Cisco Meraki Rest API
    • Cisco Meraki
    • Cisco Prime
    • Cisco Small Business
    • Cisco Standard
    • Cisco Standard SSH
    • Cisco VCS
    • Cisco Voice Gateway
    • Cisco Waas
    • Cisco WLC
    • Citrix Acceleration
    • Citrix Netscaler
    • Citrix SDX
    • Colubris SNMP
    • Cyberoam
    • D-Link DGS 3100
    • D-Link standard SNMP
    • Dell 6200
    • Dell 6200 SNMP
    • Dell N4000
    • Dell OS10 SNMP
    • Dell S-series
    • DenyAll SNMP
    • Dell Xseries
    • Digi Anywhere USB
    • Digi PortServers TS
    • Digi PortServers TS
    • Digi Sarian
    • Efficienti IP
    • Evertz FC7800
    • Extreme Network
    • F5 BigIP
    • Lenovo Flex System Switch
    • Fiberstore SNMP
    • Fortinet FortiAuthenticator SNMP
    • Fortinet Fortigate
    • Fortinet Fortimanage
    • Freebox
    • FritzBox
    • Gorgy NTP Server
    • H3C Network
    • Hirschmann switch
    • HP Procurve
    • HP Standard Network
    • HP Virtual Connect
    • Huawei
    • Infoblox SNMP
    • Juniper EX Series
    • Juniper GGSN
    • Juniper ISG
    • Juniper M-Series
    • Juniper Mag
    • Juniper SA
    • Juniper SRX
    • Juniper SSG
    • Juniper Trapeze
    • Kemp Loadbalancer
    • Meru SNMP
    • Mikrotik SNMP
    • Mitel 3300ICP
    • Moxa Switch
    • Mrv Optiswitch
    • NetASQ Network
    • Netgear MSeries
    • Netscaler MPX 8000
    • Nokia TiMos
    • Nortel Standard
    • Omniswitch 6850
    • OneAccess Network
    • Oracle Infiniband
    • Palo Alto firewall SNMP
    • Palo Alto firewall SSH
    • Peplink Balance
    • Peplink Pepwave SNMP
    • Perle IDS SNMP
    • pfSense
    • Rad Airmux SNMP
    • Radware Alteon
    • Raisecom
    • RedBack Router
    • Riverbed Interceptor
    • Riverbed SteelHead
    • Ruckus
    • Ruckus Zonedirector
    • Ruckus ICX
    • Ruckus SCG
    • Ruckus Smartzone
    • Ruggedcom Network
    • Silverpeak
    • Sonicwall
    • Sophos ES
    • Stonesoft
    • Stormshield SNMP
    • Stormshield SSH
    • Teltonika SNMP
    • Ubiquiti AirFiber SNMP
    • Traffic Director
    • Ucopia
    • Watchguard
    • Zyxel
    • Versa SNMP
    • Versa Director Restapi

    Operating System

    • AIX SNMP
    • Base Pack
    • FreeBSD SNMP
    • HP-UX
    • IBM AS400
    • Linux NRPE
    • Linux NRPE3
    • Linux SNMP
    • Linux SSH
    • Mac SNMP
    • Solaris SNMP
    • Windows NRPE
    • Windows NRPE 0.5
    • Windows NSClient API
    • Windows SNMP

    Printer

    • Printer standard

    Protocol

    • BGP Protocol
    • DHCP Server
    • DNS Service
    • FTP Server
    • Generic SNMP
    • HTTP Server
    • IMAP Server
    • JMX value
    • LDAP Server
    • Modbus
    • NTP Server
    • OSPF Protocol
    • POP Server
    • Protocol DHCP
    • Protocol SSH
    • Protocol TCP
    • Protocol UDP
    • Radius Service
    • SMTP Server
    • Telnet Scenario
    • TFTP Server
    • X509 Certificat

    Sensor

    • ABB CMS-700
    • AKCP Sensor
    • Geist p8000 sensor SNMP
    • Geist Sensor SNMP
    • HWg-STE Sensor
    • Jacarta Sensor
    • LM Sensors
    • Netbotz Sensor
    • Sensor IP
    • SensorGateway
    • Sensormetrix

    Storage

    • Adic Tape SNMP
    • Avid Isis
    • Buffalo TeraStation SNMP
    • Dell Compellent
    • Dell Compellent API
    • Dell Equallogic
    • Dell FluidFS
    • Dell MD3000
    • Dell Me4 Rest API
    • Dell ML6000
    • Dell TL2000
    • EMC Celerra
    • EMC Clariion
    • EMC Data Domain
    • EMC Isilon
    • EMC RecoveryPoint
    • EMC Symmetrix API
    • EMC Symmetrix NRPE
    • EMC Unisphere Rest API
    • EMC Vplex
    • EMC Xtremio
    • Exagrid
    • Fujitsu Eternus DX
    • Hitachi HCP SNMP
    • Hitachi NAS
    • Hitachi Standard
    • HP 3PAR 7000
    • HP 3PAR SSH
    • HP EVA
    • HP Lefthand
    • HP MSA2000
    • HP MSL
    • HP P2000
    • HP StoreOnce
    • HP StoreOnce SSH
    • IBM DS3000
    • IBM DS4000
    • IBM DS5000
    • IBM FlashSystem 900
    • IBM Storwize
    • IBM TS2900
    • IBM TS3100
    • IBM TS3200
    • IBM TS3500
    • Kaminario RestAPI
    • Lenovo S Series
    • NetApp Ontap OnCommand API
    • NetApp Ontap Rest API
    • NetApp Ontap SNMP
    • Netapp Santricity Restapi
    • Netgear Readynas SNMP
    • Nimble Storage
    • Nimble Storage Rest API
    • Oracle ZFS
    • Oracle ZS
    • Overland Neo
    • Panzura
    • Pure Storage RestAPI
    • Qnap
    • QSAN NAS
    • Quantum DXi Series
    • Quantum Scalar
    • Storagetek SL
    • Synology
    • Violin Memory 3000

    Toip Voip

    • Alcatel OXE
    • Asterisk VoIP Server
    • AudioCodes
    • Avaya AES SNMP
    • Avaya Media Gateway SNMP
    • Polycom DMA SNMP
    • Polycom HDX SNMP
    • Polycom RMX
    • Polycom RPRM SNMP
    • Sonus SBC
    • XiVO VoIP Server

    Ups Pdu

    • Alpha UPS SNMP
    • APC ATS
    • APC PDU
    • APC UPS
    • Clever PDU
    • CyberPower Systems PDU SNMP
    • Eaton ATS SNMP
    • Eaton PDU SNMP
    • Emerson PDU
    • HP UPS SNMP
    • MGE UPS System
    • Nitram UPS SNMP
    • Powerware UPS
    • Raritan PDU
    • Schleifenbauer Gateway SNMP
    • UPS Socomec Net Vision SNMP
    • UPS Standard

    Virtualization

    • Hyper-V 2012
    • Nutanix
    • Proxmox VE
    • VMware ESX
    • VMware ESX WS-MAN
    • VMware vCenter
    • VMware vCenter v4
    • VMware vCenter v5
    • VMware vCenter v6
    • VMware VM

Integrations

    External

    • Accedian PVX Skylight
    • Maltem Insight Performances Rest API

    Notifications

    • Notify with Telegram bot

    Open Tickets

    • BMC Footprints
    • BMC Remedy
    • EasyVista
    • GLPI
    • GLPI RestAPI
    • iTop
    • IWS Isilog
    • Jira
    • Mail
    • OTRS RestAPI
    • Request Tracker RestAPI
    • Serena
    • ServiceNow

    Stream Connectors

    • BSM
    • Elasticsearch events
    • Elasticsearch metrics
    • NDO
    • Opsgenie integration
    • HP OMI
    • PagerDuty Service integration
    • ServiceNow Event Manager
    • ServiceNow MID Server
    • Splunk Metrics
    • Splunk Events
    • Warp10

Mobile App.

  • Introduction

API

  • Introduction
  • Command Line API (v1)
  • Rest API (v1)
  • Rest API (v2)
  • Graphical views API (beta)

Developer resources

  • About developer resources
  • How to write a module
  • How to write a Stream Connector
  • How to translate Centreon
  • How to write a widget
  • Centreon Broker

    • Stream connectors
    • The BBDO protocol
    • Centreon Broker Event Mapping

Releases

  • Centreon Platform 20.10.0
  • Products lifecycle policy
  • Release notes by component

    • Centreon Core
    • Commercial Extensions
    • Open Source Extensions

Resources

  • Known issues
Edit

Secure your platform

This chapter suggests how to best secure your Centreon platform.

Strengthen user account security

After installing Centreon, it is necessary to change the default passwords of the following users:

  • root
  • centreon
  • centreon-engine
  • centreon-broker
  • centreon-gorgone

To do this, use the following command with a privileged account (eg. sudo) or with root (not recommended — you should have a dedicated user):

passwd <account_name>

In addition, it is important to verify that the Apache account does not have connection rights to the terminal. Execute the following command:

cat /etc/passwd | grep apache

You must have /sbin/nologin like:

apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin

As a reminder, the list of users and groups can be found here

Enable SELinux

Centreon recently developed SELinux rules in order to strengthen the control of components by the operating system.

These rules are currently in beta mode and can be activated. You can activate them by following this procedure. In you detect of a problem, it is possible to disable SELinux globally and to send us your feedback in order to improve our rules on Github.

SELinux Overview

Security Enhanced Linux (SELinux) provides an additional layer of system security. SELinux fundamentally answers the question: May <subject> do <action> to <object>?, for example: May a web server access files in users' home directories?

The standard access policy based on the user, group, and other permissions, known as Discretionary Access Control (DAC), does not enable system administrators to create comprehensive and fine-grained security policies, such as restricting specific applications to only viewing log files, while allowing other applications to append new data to the log files.

SELinux implements Mandatory Access Control (MAC). Every process and system resource has a special security label called an SELinux context. A SELinux context, sometimes referred to as an SELinux label, is an identifier which abstracts away the system-level details and focuses on the security properties of the entity. Not only does this provides a consistent way of referencing objects in the SELinux policy, but it also removes any ambiguity that can be found in other identification methods. For example, a file can have multiple valid path names on a system that makes use of bind mounts.

The SELinux policy uses these contexts in a series of rules which define how processes can interact with each other and the various system resources. By default, the policy does not allow any interaction unless a rule explicitly grants access.

For more information about SELinux please see Red Hat documentation

Activate SELinux in permissive mode

By default, SELinux is disabled during Centreon installation process. To enable SELinux in permissive mode, you need to modify the /etc/selinux/config file as:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Then reboot your server:

shutdown -r now

Install Centreon SELinux packages

Depending on the type of server, install the packages with the following command:

Central / Remote Server
Poller
Map server
MBI server
yum install centreon-common-selinux \
centreon-web-selinux \
centreon-broker-selinux \
centreon-engine-selinux \
centreon-gorgoned-selinux \
centreon-plugins-selinux
yum install centreon-common-selinux \
centreon-broker-selinux \
centreon-engine-selinux \
centreon-gorgoned-selinux \
centreon-plugins-selinux
yum install centreon-map-selinux
yum install centreon-mbi-selinux

To check the installation, execute the following command:

semodule -l | grep centreon

Depending on your type of server, you can see:

centreon-broker 0.0.5
centreon-common 0.0.10
centreon-engine 0.0.8
centreon-gorgoned   0.0.3
centreon-plugins    0.0.2
centreon-web    0.0.8

Audit logs and enable SELinux

Before enabling SELinux in enforcing mode, you need to be sure that no errors appear using the following command:

cat /var/log/audit/audit.log | grep -i denied

If errors appear, you have to analyse them and to decide if these errors are regular and must be added in addition of the Centreon default SELinux rules. To do this, use the following command to tranform error in SELinux rules:

audit2allow -a

Then execute the proposed rules.

If after a while, no error is present, you can activate SELinux in full mode by following this procedure using enforcing mode.

Do not hesitate to give us your feedback on Github.

Securing the installation of the DBMS

MariaDB propose a default procedure to secure the DBMS installation. Please execute the following command and follow instruction:

mysql_secure_installation

Enable firewalld

Install firewalld:

yum install firewalld

Enable firewalld:

systemctl enable firewalld
systemctl start firewalld

The list of network flows required for each type of server is defined here.

Central / Remote Server
Poller

Example of rules for a Centreon Central or Remote Server:

# For default protocols
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=snmp --permanent
firewall-cmd --zone=public --add-service=snmptrap --permanent
# Centreon Gorgone
firewall-cmd --zone=public --add-port=5556/tcp --permanent
# Centreon Broker
firewall-cmd --zone=public --add-port=5669/tcp --permanent

Example of rules for Centreon poller:

# For default protocols
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --zone=public --add-service=snmp --permanent
firewall-cmd --zone=public --add-service=snmptrap --permanent

Once the rules have been added, it is necessary to reload firewalld:

firewall-cmd --reload

Enable fail2ban

Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.

Install fail2ban:

yum install epel-release
yum install fail2ban fail2ban-systemd yum python-inotify

If you have SELinux installed, then update the SELinux policies:

yum update -y selinux-policy*

Enable firewalld:

systemctl enable fail2ban
systemctl start fail2ban 

Copy the default rules file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local file and search [centreon] block, then modify such as:

[centreon]
port    = http,https
logpath = /var/log/centreon/login.log
backend  = pyinotify

To enable the centreon fail2ban rule, create the /etc/fail2ban/jail.d/custom.conf file and add following lines:

[centreon]
enabled = true
findtime = 10m
bantime = 10m
maxretry = 3

maxretry is the number of authentication failed before to ban the IP address

bantime is the duration of the ban

findtime is the time range to find authentication failed

Then restart fail2ban to load your rule:

systemctl restart fail2ban

To check the status of the centreon rule you can run:

fail2ban-client status centreon
Status for the jail: centreon
|- Filter
|  |- Currently failed: 1
|  |- Total failed: 17
|  `- File list:    /var/log/centreon/login.log
`- Actions
   |- Currently banned: 0
   |- Total banned: 2
   `- Banned IP list:

For more information go to the official website.

Securing the Apache web server

By default, Centreon installs a web server in HTTP mode. It is strongly recommended to switch to HTTPS mode by adding your certificate.

It is better to use a certificate validated by an authority rather than a self-signed one.

If you do not have a certificate validated by an authority, you can generate one on platforms such as Let's Encrypt.

Once you have your certificate, perform the following procedure to activate HTTPS mode on your Apache server:

  1. Install SSL module for Apache:
RHEL / CentOS / Oracle Linux 8
CentOS 7
dnf install mod_ssl mod_security openssl
yum install httpd24-mod_ssl httpd24-mod_security openssl
  1. Install your certificates:

Copy your certificate and key on the server according your configuration; by default, it's:

  • /etc/pki/tls/certs/ca.crt
  • /etc/pki/tls/private/ca.key
  1. Backup previous Apache configuration for Centreon:
RHEL / CentOS / Oracle Linux 8
CentOS 7
cp /etc/httpd/conf.d/10-centreon.conf{,.origin}
cp /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf{,.origin}
  1. Edit Centreon Apache configuration

Centreon offers an example configuration file to enable HTTPS available in the following directory: /usr/share/centreon/examples/centreon.apache.https.conf

RHEL / CentOS / Oracle Linux 8
CentOS 7

Edit the /etc/httpd/conf.d/10-centreon.conf as following:

Edit the /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf as following:

Alias /centreon/api /usr/share/centreon
Alias /centreon /usr/share/centreon/www/

<LocationMatch ^/centreon/(?!api/latest/|api/beta/|api/v[0-9]+/|api/v[0-9]+\.[0-9]+/)(.*\.php(/.*)?)$>
    ProxyPassMatch fcgi://127.0.0.1:9042/usr/share/centreon/www/$1
</LocationMatch>

<LocationMatch ^/centreon/api/(latest/|beta/|v[0-9]+/|v[0-9]+\.[0-9]+/)(.*)$>
    ProxyPassMatch fcgi://127.0.0.1:9042/usr/share/centreon/api/index.php/$1
</LocationMatch>

ProxyTimeout 300

<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:443>
#####################
# SSL configuration #
#####################
    SSLEngine On
    SSLProtocol All -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ADH:!IDEA
    SSLHonorCipherOrder On
    SSLCompression Off
    SSLCertificateFile /etc/pki/tls/certs/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key

    <Directory "/usr/share/centreon/www">
        DirectoryIndex index.php
        Options Indexes
        AllowOverride all
        Order allow,deny
        Allow from all
        Require all granted
        <IfModule mod_php5.c>
            php_admin_value engine Off
        </IfModule>

        RewriteRule ^index\.html$ - [L]
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule . /index.html [L]
        ErrorDocument 404 /centreon/index.html

        AddType text/plain hbs
    </Directory>

    <Directory "/usr/share/centreon/api">
        Options Indexes
        AllowOverride all
        Order allow,deny
        Allow from all
        Require all granted
        <IfModule mod_php5.c>
            php_admin_value engine Off
        </IfModule>

        AddType text/plain hbs
    </Directory>
</VirtualHost>

RedirectMatch ^/$ /centreon

Don't forget to change SSLCertificateFile and SSLCertificateKeyFile directives with the path containing your certificate and key.

  1. Enable HttpOnly / Secure flags and hide Apache server signature
RHEL / CentOS / Oracle Linux 8
CentOS 7

Edit the /etc/httpd/conf.d/10-centreon.conf file and add the following line:

Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
ServerSignature Off
ServerTokens Prod

Edit the /etc/php.d/50-centreon.ini file and turn off the expose_php parameter:

expose_php = Off

Edit the /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf file and add the following line:

Header set X-Frame-Options: "sameorigin"
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
ServerSignature Off
ServerTokens Prod
TraceEnable Off

Edit the /etc/opt/rh/rh-php72/php.d/50-centreon.ini file and turn off the expose_php parameter:

expose_php = Off
  1. Hide the default /icons directory
RHEL / CentOS / Oracle Linux 8
CentOS 7

Edit the /etc/httpd/conf.d/autoindex.conf file and comment the following line:

#Alias /icons/ "/usr/share/httpd/icons/"

Edit the /opt/rh/httpd24/root/etc/httpd/conf.d/autoindex.conf file and comment the following line:

#Alias /icons/ "/opt/rh/httpd24/root/usr/share/httpd/icons/"
  1. Disable mod_security boundary to enable license upload

Edit the /opt/rh/httpd24/root/etc/httpd/conf.d/mod_security.conf file and comment the following line:

#SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
#"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
  1. Restart the Apache and PHP process to take in account the new configuration:
RHEL / CentOS / Oracle Linux 8
CentOS 7
systemctl restart php-fpm httpd

Then check its status:

systemctl status httpd

If everything is ok, you must have:

● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Tue 2020-10-27 12:49:42 GMT; 2h 35min ago
Docs: man:httpd.service(8)
Main PID: 1483 (httpd)
Status: "Total requests: 446; Idle/Busy workers 100/0;Requests/sec: 0.0479; Bytes served/sec: 443 B/sec"
Tasks: 278 (limit: 5032)
Memory: 39.6M
CGroup: /system.slice/httpd.service
├─1483 /usr/sbin/httpd -DFOREGROUND
├─1484 /usr/sbin/httpd -DFOREGROUND
├─1485 /usr/sbin/httpd -DFOREGROUND
├─1486 /usr/sbin/httpd -DFOREGROUND
├─1487 /usr/sbin/httpd -DFOREGROUND
└─1887 /usr/sbin/httpd -DFOREGROUND

systemctl restart rh-php72-php-fpm httpd24-httpd

Then check its status:

systemctl status httpd24-httpd

If everything is ok, you must have:

● httpd24-httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd24-httpd.service; enabled; vendor preset: disabled)
Active: active (running) since mar. 2020-05-12 15:39:58 CEST; 25min ago
Process: 31762 ExecStop=/opt/rh/httpd24/root/usr/sbin/httpd-scl-wrapper $OPTIONS -k graceful-stop (code=exited, status=0/SUCCESS)
Main PID: 31786 (httpd)
Status: "Total requests: 850; Idle/Busy workers 50/50;Requests/sec: 0.547; Bytes served/sec: 5.1KB/sec"
CGroup: /system.slice/httpd24-httpd.service
├─ 1219 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31786 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31788 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31789 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31790 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31802 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31865 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31866 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31882 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
├─31903 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
└─32050 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND

Custom URI

It is possible to update the URI of Centreon. For example, /centreon can be replaced by /monitoring.

At least one path level is mandatory.

To update the Centreon URI, you need to follow those steps:

  1. Go to Administration > Parameters > Centreon UI and change the Centreon Web Directory value.

image

  1. Edit Apache configuration file for Centreon Web
RHEL / CentOS / Oracle Linux 8
CentOS 7
vim /etc/httpd/conf.d/10-centreon.conf
vim /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf

and change /centreon path with your new path

Enabling http2

It is possible to enable http2 protocol to improve Centreon network performance.

To use http2, you need to follow those steps:

RHEL / CentOS / Oracle Linux 8
CentOS 7
  1. Configure https on Centreon

  2. Install nghttp2 module:

dnf install nghttp2
  1. Enable http2 protocol in /etc/httpd/conf.d/10-centreon.conf:
...
<VirtualHost *:443>
Protocols h2 h2c http/1.1
...
</VirtualHost>
...
  1. Update method used by apache multi-processus module in /etc/httpd/conf.modules.d/00-mpm.conf:
-LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
+#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

-#LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule mpm_event_module modules/mod_mpm_event.so
  1. Restart the Apache process to take in account the new configuration:
systemctl restart httpd
  1. Configure https on Centreon

  2. Install nghttp2 module:

yum install httpd24-nghttp2
  1. Enable http2 protocol in /opt/rh/httpd24/root/etc/httpd/conf.d/10-centreon.conf:
...
<VirtualHost *:443>
Protocols h2 h2c http/1.1
...
</VirtualHost>
...
  1. Update method used by apache multi-processus module in /opt/rh/httpd24/root/etc/httpd/conf.modules.d/00-mpm.conf:
-LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
+#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

-#LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule mpm_event_module modules/mod_mpm_event.so
  1. Restart the Apache process to take in account the new configuration:
systemctl restart httpd24-httpd

User authentication

Centreon offers several methods to authenticate users:

  • local (MySQL)
  • LDAP
  • Generic SSO or OpenId Connect

Create user profiles

Centreon offers to manage access permissions to the different menus, resources and possible actions on resources via the management of Access Control List.

Secure communications between servers

It is strongly recommended to secure communications between the different servers of the Centreon platform if some servers are not in a secure network.

The Table of network flows is available here.

Centreon Broker communication

Centreon Broker and the firewall

In certain cases, you may not be able to initialize the Centreon Broker data flow from the poller (or the Remote Server) to the Central Server or the Remote Server. See the following configuration to invert the flow.

Centreon Broker flow authentication

If you need to authenticate pollers that are sending data to the monitoring system, you can use the Centreon Broker authentication mechanism, which is based on X.509 certificates. See the following configuration to authenticate the peer.

Compress and encrypt the Centreon Broker communication

It is also possible to compress and encrypt the Centreon Broker communication. Go to Configuration > Pollers > Broker configuration menu, edit your Centreon Broker configuration and enable for IPv4 inputs and outputs:

  • Enable TLS encryption: Auto
  • Enable negotiation: Yes
  • Compression (zlib): Auto

Centreon Gorgone communication

This the official Centreon gorgone documentation to secure the communication.

Security event information management - SEIM

Centreon event logs are available in the following directories:

Logs directoryCentral serverRemote ServerPollerCentreon Map serverCentreon MBI Server
/var/log/centreonXX
/var/log/centreon-brokerXXX
/var/log/centreon-engineXXX
/var/log/centreon-gorgoneXXX
/var/log/centreon-biXX
/var/log/centreon-mapXXXX

In addition, all actions to modify the Centreon configuration carried out by users are available via the Administration > Logs menu.

Backing up the platform

Centreon offers to save the configuration of the platform. To do this, go to the Administration > Parameters > Backup menu.

← What is Centreon CEIP?Secure your MAP platform →
  • Strengthen user account security
  • Enable SELinux
    • SELinux Overview
    • Activate SELinux in permissive mode
    • Install Centreon SELinux packages
    • Audit logs and enable SELinux
  • Securing the installation of the DBMS
  • Enable firewalld
    • Enable fail2ban
  • Securing the Apache web server
  • Custom URI
  • Enabling http2
  • User authentication
  • Create user profiles
  • Secure communications between servers
    • Centreon Broker communication
    • Centreon Gorgone communication
  • Security event information management - SEIM
  • Backing up the platform
Centreon documentation
Documentation
Getting StartedAPI ReferencesReleases
Resources
Centreon WebsiteBlogDownload
Follow us
centreon
Follow @Centreon
Copyright © 2005 - 2021 Centreon