logo

Port 5666 – Nagios NRPE (Nagios Remote Plugin Executor)

Service:

nrpe

Protocol:

TCP

Port:

5666

Used for:

Nagios Remote Plugin Executor for system monitoring

Why It’s Open

Port 5666 is used by Nagios Remote Plugin Executor (NRPE) to allow Nagios monitoring servers to execute health checks and monitoring commands on remote systems. It’s a critical component in centralized monitoring setups, where the Nagios server needs access to CPU, memory, disk, and service status on multiple hosts.

The NRPE daemon listens on port 5666 for incoming requests and executes predefined commands listed in the local nrpe.cfg. It’s widely deployed in enterprise monitoring, especially in Linux environments.

Common Risks

  • Unauthorized Command Execution
    Attackers can exploit NRPE to run arbitrary commands on target systems.
  • Information Disclosure
    Exposed NRPE services may leak system metrics and internal configuration.
  • Man-in-the-Middle Attacks
    If SSL/TLS is not enforced, monitoring data may be intercepted or altered.
  • Version-specific Vulnerabilities
    Older NRPE versions have known security flaws and weak defaults.
  • Command Injection
    Poorly constructed NRPE command definitions could allow injection.
  • Authentication Bypass
    NRPE may lack proper verification if not configured with certificates.
  • SSL/TLS Weaknesses
    Misconfigured cryptographic settings can be exploited.
  • Privilege Escalation
    Certain NRPE commands may be misconfigured to run as privileged users.
  • Unrestricted Source Access
    Lack of IP-based access control allows anyone to query the service.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Basic port scan:

Terminal window
nmap -sV -p 5666

Test NRPE connection:

Terminal window
check_nrpe -H

Version detection:

Terminal window
check_nrpe -H  -V

List allowed commands:

Terminal window
check_nrpe -H  -n

What to Look For

CheckpointWhat it means
Unencrypted NRPE trafficMonitoring data can be intercepted
Outdated NRPE versionContains known exploits or insecure defaults
Weak command restrictionsMay allow execution of arbitrary system commands
Missing SSL/TLSData transmitted in plaintext
Unrestricted source IPsExposed to unauthorized external access

Mitigation

  • Enable SSL/TLS
    Ensure all NRPE communications are encrypted with valid certificates.
  • Version Control
    Keep NRPE and its plugins up-to-date to avoid known vulnerabilities.
  • Command Restriction
    Define only safe and specific commands in the nrpe.cfg file.
  • Access Controls
    Limit access to authorized Nagios servers via firewall and allowed_hosts.
  • Strong Authentication
    Use SSL certificate verification for secure client identification.
  • Source IP Restriction
    Avoid exposing NRPE to the internet; restrict access to trusted IPs.
  • Regular Audits
    Periodically review command definitions and log files for abuse.

TL;DR

  • Port 5666 = NRPE for remote monitoring
  • Enables Nagios checks on remote hosts
  • Requires SSL/TLS encryption
  • Must restrict allowed commands and IPs
  • Keep software patched and configs tight

Known CVEs and Exploits

  • CVE-2013-1362 – Buffer overflow in NRPE < 2.14
  • CVE-2014-2913 – Command injection via crafted NRPE packets
  • CVE-2017-2904 – SSL certificate verification bypass
  • CVE-2020-6581 – Arbitrary file read via configuration mishandling
  • Tools like check_nrpe, nmap, and metasploit can assist in NRPE enumeration and testing