Security

check_heartbleed

Write a Review

Description:

check_heartbleed allows you to check for the Heartbleed Vulnerability (CVE-2014-0160) of openssl on various systems.
Version – 0.6 : Added TLSv1.0 and SSLv3.0 support
If no version is specified, checks all versions.
Altered output somewhat.
Added optional verbose output

Version – 0.5 : Added socket timeout option with default to 10 seconds
Changed no data received to unknown, was returning OK.

Version – 0.4 : Try: Except: on all socket interactions.
Spelling mistake.

Version – 0.3 : Properly catches socket connection error.
Reworking of internal logic
Alterations of some unknown messages

Version – 0.2 : Now works with Python 2.4+

Current Version

0.6

Last Release Date

2014-04-18

Compatible With

  • Nagios 2.x
  • Nagios 3.x
  • Nagios 4.x
  • Nagios XI

Owner

Scott Wilkerson

Copy Page Link Recommend Login to Add to Favorites Login to Claim
Nagios CSP

Meet The New Nagios Core Services Platform

Built on over 25 years of monitoring experience, the Nagios Core Services Platform provides insightful monitoring dashboards, time-saving monitoring wizards, and unmatched ease of use. Use it for free indefinitely.

Download Now

Monitoring Made Magically Better

  • Nagios Core on Overdrive
  • Powerful Monitoring Dashboards
  • Time-Saving Configuration Wizards
  • Open Source Powered Monitoring On Steroids
  • And So Much More!
Project Notes
# /usr/local/nagios/libexec/check_heartbleed.py -h usage: check_heartbleed.py server [options] Test for SSL heartbeat vulnerability (CVE-2014-0160) options: -h, --help show this help message and exit -H HOST, --host=HOST Host to connect to (default: 127.0.0.1) -p PORT, --port=PORT TCP port to test (default: 443) -v VERSION, --version=VERSION TLS or SSL version to test [TLSv1.0(0), TLSv1.1(1), TLSv1.2(2), or SSLv3.0(3)] (default: all) -u, --udp Use TCP or UDP protocols, no arguments needed. This does not work presently, keep to TCP. (default: TCP) -t TIMEOUT, --timeout=TIMEOUT Plugin timeout length (default: 10) -V, --verbose Print verbose output, including hexdumps of packets. Example Usage: # ./check_heartbleed.py -H yahoo.com -p 443 -v 1 OK: yahoo.com TLSv1.0 is not vulnerable # echo $? 0 # ./check_heartbleed.py -H vulnerable.site.com -p 443 -v 1 CRITICAL: vulnerable.site.com TLSv1.0 is vulnerable # echo $? 2 # ./check_heartbleed.py -H vulnerable.site.com CRITICAL: Server vulnerable.site.com TLSv1.0 is vulnerable. TLSv1.1 is vulnerable. TLSv1.2 is vulnerable. SSLv3.0 is vulnerable. Example Command: define command { command_name check_heartbleed command_line $USER1$/check_heartbleed.py -H $HOSTADDRESS$ -p 443 -v 1 }
Reviews (8) Add a Review
Works great for some hosts but not others?
by CWSI, January 31, 2016
Hey,

The plugin works great for some hosts, but is failing for a fairly large number, not sure if this is an issue at my side but I don't think so -

[root@host scripts]# ./check_heartbleed.py -H www.google.com -p 443
OK: Server www.google.com TLSv1.0 is not vulnerable. TLSv1.1 is not vulnerable. TLSv1.2 is not vulnerable. SSLv3.0 is not vulnerable.

[root@host scripts]# ./check_heartbleed.py -H www.test.com -p 443
UNKNOWN: Server www.test.com closed connection without sending Server Hello.



Any thoughts?
Helpful?    
Report
Incorrect OK result with FortiOS
by fundacionrts, April 30, 2014
In Fortigate devices with FortiOS affected by Heartbleed (FGxxx-5.00-FW-build208-130603), plugin returns OK instead CRITICAL.

When we check this devices with NMAP and ssl-heartbleed.nse script, the result is VULNERABLE.
Helpful?    
Report
Check_Heartbleed fixes
by egalstad, April 30, 2014
As of 14/4/14 (v0.3), All known issues with python 2.4+ should be resolved. There has been a -H flag per standard nagios plugins, and additional error handling. Please try it again and let us know if issues persist.
0 of 1 found this review helpful.
Helpful?    1
Report
SyntaxError: invalid syntax
by emusic, April 30, 2014
hi,

i've tried to use it on: rhel 5.x (
Package python-2.4.3-56.el5.x86_64 already installed)
but i get the following error msg:

---------------------------------------
:~>./check_hearbleed.py
---------------------------------------
File "./check_hearbleed.py", line 62
pdat = ' '.join((c if 32
Helpful?    
Report
i am not able to execute.. throws connection refused
by knatesan1, April 30, 2014
Below is the steps I followed:
1. downloaded “Check_heartbleed.txt” to “check_heartbleed.py”
2. moved to “/usr/local/nagios/libexec/”
3. chmod –R 777 check_heartbleed.py

I am getting below error if I execute the script.. any clue on this?

[root@localhost libexec]# ./check_heartbleed.py 10.1.71.49 -p 443
Traceback (most recent call last):
File "./check_heartbleed.py", line 151, in
main()
File "./check_heartbleed.py", line 132, in main
s.connect((args[0], opts.port))
File "", line 1, in connect
socket.error: [Errno 111] Connection refused
Helpful?    
Report
syntax error
by edgood1, April 30, 2014
Im getting a syntax error:

File "./check_heartbleed.py", line 62
pdat = '.join((c if 32

python version:
Python 2.4.3 (#1, Oct 23 2012, 22:02:41)
[GCC 4.1.2 20080704 (Red Hat 4.1.2-54)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
Helpful?    
Report
Getting error trying to run script
by MarkJenks, April 30, 2014
File "./check_heartbleed.py", line 62
pdat = '.join((c if 32
Helpful?    
Report
Syntax error
by nkrishna, April 30, 2014
Hi,

I'm getting the following syntax error while executing the plugin.
/usr/local/nagios/libexec/check_heartbleed.py localhost -p 443 -v 1
File "/usr/local/nagios/libexec/check_heartbleed.py", line 62
pdat = ''.join((c if 32
0 of 1 found this review helpful.
Helpful?    1
Report
Page Sections
Project Overview Project Notes Reviews
Project Stats
Rating
4 (10)
Favorites
0
Views
36,425