What are the security risks of making Nagios publicly viewable?

What are the dangers of a public organization, like a college or university, publishing monitoring services like Nagios in a publicly available read only format?

Solution 1:

I think the biggest risk to providing public interface to Nagios is that the Nagios CGIs haven't been written in a hardened fashion (at least they've never claimed to be). A raw Nagios interface leaks internal information like a sieve.

There's nothing inherently insecure about sharing the information (as long as you take into account the value of the information you're giving away), and you're aware of decreasing your security-through-obscurity.

The best solution may be to use NagVis (http://www.nagvis.org/) to create a user-friendly page where people can see status updates in a way that's more meaningful to them than the raw service list from Nagios.

If you do decide to just display the output, make sure to read the Nagios security considerations page (http://nagios.sourceforge.net/docs/3_0/security.html)

Solution 2:

When I was in college, they used to provide Big Brother as a public read-only service, so it's not unheard of. Knowing the topology of the network could open up risk if the machines are not all secure, and if you're also reporting version numbers, that piece of information is useful for determining possible vulnerabilities.

You can, and should, limit the information available to the public, but we found knowing what services were down and when they came back up valuable for our support staff in communicating with the rest of the college.