Home Directory Plugins Security check_heartbleed

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

check_heartbleed

Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Rating
10 votes
Favoured:
0
Current Version
0.6
Last Release Date
2014-04-18
Compatible With
  • Nagios 2.x
  • Nagios 3.x
  • Nagios 4.x
  • Nagios XI
Hits
26021
Files:
FileDescription
check_heartbleed.pycheck_heartbleed.py
check_heartbleed allows you to check for the Heartbleed Vulnerability (CVE-2014-0160) of openssl on various systems.
Version - 0.6 : Added TLSv1.0 and SSLv3.0 support
If no version is specified, checks all versions.
Altered output somewhat.
Added optional verbose output

Version - 0.5 : Added socket timeout option with default to 10 seconds
Changed no data received to unknown, was returning OK.

Version - 0.4 : Try: Except: on all socket interactions.
Spelling mistake.

Version - 0.3 : Properly catches socket connection error.
Reworking of internal logic
Alterations of some unknown messages

Version - 0.2 : Now works with Python 2.4+
# /usr/local/nagios/libexec/check_heartbleed.py -h
usage: check_heartbleed.py server [options]

Test for SSL heartbeat vulnerability (CVE-2014-0160)

options:
-h, --help show this help message and exit
-H HOST, --host=HOST Host to connect to (default: 127.0.0.1)
-p PORT, --port=PORT TCP port to test (default: 443)
-v VERSION, --version=VERSION
TLS or SSL version to test [TLSv1.0(0), TLSv1.1(1),
TLSv1.2(2), or SSLv3.0(3)] (default: all)
-u, --udp Use TCP or UDP protocols, no arguments needed. This
does not work presently, keep to TCP. (default: TCP)
-t TIMEOUT, --timeout=TIMEOUT
Plugin timeout length (default: 10)
-V, --verbose Print verbose output, including hexdumps of packets.


Example Usage:

# ./check_heartbleed.py -H yahoo.com -p 443 -v 1
OK: yahoo.com TLSv1.0 is not vulnerable
# echo $?
0
# ./check_heartbleed.py -H vulnerable.site.com -p 443 -v 1
CRITICAL: vulnerable.site.com TLSv1.0 is vulnerable
# echo $?
2
# ./check_heartbleed.py -H vulnerable.site.com
CRITICAL: Server vulnerable.site.com TLSv1.0 is vulnerable. TLSv1.1 is vulnerable. TLSv1.2 is vulnerable. SSLv3.0 is vulnerable.

Example Command:

define command {
command_name check_heartbleed
command_line $USER1$/check_heartbleed.py -H $HOSTADDRESS$ -p 443 -v 1
}
Reviews (8)
Hey,

The plugin works great for some hosts, but is failing for a fairly large number, not sure if this is an issue at my side but I don't think so -

[root@host scripts]# ./check_heartbleed.py -H www.google.com -p 443
OK: Server www.google.com TLSv1.0 is not vulnerable. TLSv1.1 is not vulnerable. TLSv1.2 is not vulnerable. SSLv3.0 is not vulnerable.

[root@host scripts]# ./check_heartbleed.py -H www.test.com -p 443
UNKNOWN: Server www.test.com closed connection without sending Server Hello.



Any thoughts?
In Fortigate devices with FortiOS affected by Heartbleed (FGxxx-5.00-FW-build208-130603), plugin returns OK instead CRITICAL.

When we check this devices with NMAP and ssl-heartbleed.nse script, the result is VULNERABLE.
bysreinhardt, April 14, 2014
0 of 1 people found this review helpful
As of 14/4/14 (v0.3), All known issues with python 2.4+ should be resolved. There has been a -H flag per standard nagios plugins, and additional error handling. Please try it again and let us know if issues persist.
hi,

i've tried to use it on: rhel 5.x (
Package python-2.4.3-56.el5.x86_64 already installed)
but i get the following error msg:

---------------------------------------
:~>./check_hearbleed.py
---------------------------------------
File "./check_hearbleed.py", line 62
pdat = ' '.join((c if 32
Below is the steps I followed:
1. downloaded “Check_heartbleed.txt” to “check_heartbleed.py”
2. moved to “/usr/local/nagios/libexec/”
3. chmod –R 777 check_heartbleed.py

I am getting below error if I execute the script.. any clue on this?

[root@localhost libexec]# ./check_heartbleed.py 10.1.71.49 -p 443
Traceback (most recent call last):
File "./check_heartbleed.py", line 151, in
main()
File "./check_heartbleed.py", line 132, in main
s.connect((args[0], opts.port))
File "", line 1, in connect
socket.error: [Errno 111] Connection refused
byedgood1, April 11, 2014
Im getting a syntax error:

File "./check_heartbleed.py", line 62
pdat = '.join((c if 32

python version:
Python 2.4.3 (#1, Oct 23 2012, 22:02:41)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-54)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
File "./check_heartbleed.py", line 62
pdat = '.join((c if 32
bynkrishna, April 10, 2014
0 of 1 people found this review helpful
Hi,

I'm getting the following syntax error while executing the plugin.
/usr/local/nagios/libexec/check_heartbleed.py localhost -p 443 -v 1
File "/usr/local/nagios/libexec/check_heartbleed.py", line 62
pdat = ''.join((c if 32