Port requirements for firewall request using wmi

mattgrwillis · May 13, 2019, 1:18pm

Hi, question… I have a Linux redhat icingaweb2 set up, working fine with Linux using agentless ssh checks using nagios plugins. I have just got Windows servers into the config and im using wmi with a plugin to monitor (again agentless). My question is this… I have some windows servers on a dmz network behind a firewall. the network team are telling me that where the port 135 is used for standard WMI connections I need to narrow it down and assign some other ports for security reasons… so how do I specify some ports within icinga2 to use for WMI connections, so I can give the network team the port numbers to use for the firewall rules ?? thanks in advance.

log1c · May 13, 2019, 1:39pm

I would say that this is the “job” of the check script/plugin.
Which one are you using?

Normally all plugins have a parameter --help or -h to display a detailed help page with instructions on how to use the plugin. This help page also lists the different parameters the plugin accepts when getting called, like -H for the IP/hostname. Check if there is a parameter that allows you to set a different port.

Example:

./check_snmp --help
check_snmp v2.2 (monitoring-plugins 2.2)
Copyright (c) 1999-2007 Monitoring Plugins Development Team
        <devel@monitoring-plugins.org>

Check status of remote machines and obtain system information via SNMP


Usage:
check_snmp -H <ip_address> -o <OID> [-w warn_range] [-c crit_range]
[-C community] [-s string] [-r regex] [-R regexi] [-t timeout] [-e retries]
[-l label] [-u units] [-p port-number] [-d delimiter] [-D output-delimiter]
[-m miblist] [-P snmp version] [-N context] [-L seclevel] [-U secname]
[-a authproto] [-A authpasswd] [-x privproto] [-X privpasswd] [-4|6]

Options:
 -h, --help
    Print detailed help screen
 -V, --version
    Print version information
 ...
 -H, --hostname=ADDRESS
    Host name, IP Address, or unix socket (must be an absolute path)
 -p, --port=INTEGER
    Port number (default: 161)

mattgrwillis · May 13, 2019, 1:45pm

Hi thanks for reply.
Im using check_wmi_plus.pl
and the only information I can find on ports and wmi (rpc) is as follows
TCP/135 is the standard port for RPC. It also uses a randomly assigned port between 1024-65535(TCP) for Windows 2003 and older, and 49152 - 65535(TCP) for Windows 2008

log1c · May 13, 2019, 1:57pm

I quickly downloaded the plugin and had a look at the script. It seems like there is no parameter to specify a different port.
I have never use the plugin myself, but my guess is that you/the network admins have to open port 135/tcp for the checks, as this is the port where the incoming connections (monitoring->checked host) will be done over.

gkoutsog · May 13, 2019, 2:10pm

As far as I know port 135/tcp is the default. Have a discussion with your network group to open the port and also check the following if needed.

https://docs.microsoft.com/en-us/windows/desktop/wmisdk/setting-up-a-fixed-port-for-wmi

/George

MarcusCaepio · May 14, 2019, 11:34am

I am also using check_wmi_plus behind firewalls and like @gkoutsog said, you have to set a fixed port on the agents