Configuring Nagios to Monitor SSH Service on Non-Standard Ports


2 views

When deploying Nagios for service monitoring, the default SSH check assumes port 22. This becomes problematic when your SSH service runs on alternative ports (e.g., 2222, 5022, etc.), resulting in false "CRITICAL: Connection refused" alerts.

Edit your SSH service definition in services.cfg (or equivalent configuration file):

define service {
    use                 generic-service
    host_name           your_server
    service_description SSH
    check_command       check_ssh_port!2222  # Replace with your custom port
}

Add this to your commands.cfg:

define command {
    command_name    check_ssh_port
    command_line    $USER1$/check_ssh -p $ARG1$ -H $HOSTADDRESS$
}

For more flexibility, consider using the generic TCP check:

define service {
    use                 generic-service
    host_name           your_server
    service_description SSH_Custom_Port
    check_command       check_tcp!2222
}

Always validate your changes:

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
systemctl restart nagios

For high-latency networks, modify timeout parameters:

define command {
    command_name    check_ssh_port_timeout
    command_line    $USER1$/check_ssh -p $ARG1$ -H $HOSTADDRESS$ -t 30
}

When monitoring non-standard SSH ports:

  • Ensure Nagios server has network access to the custom port
  • Update firewall rules accordingly
  • Consider using SSH keys instead of password authentication

When setting up Nagios for server monitoring, a common hurdle arises when critical services like SSH don't use default ports. The standard check_ssh plugin assumes port 22, leaving administrators with false critical alerts for properly functioning services on alternative ports.

Nagios Core's default SSH check uses this command definition (typically found in commands.cfg):

define command {
    command_name    check_ssh
    command_line    $USER1$/check_ssh -H $HOSTADDRESS$
}

For a server running SSH on port 2222, update your service definition in services.cfg:

define service {
    use                 generic-service
    host_name           linux-server
    service_description SSH
    check_command       check_ssh_port!2222
}

Add this to your commands.cfg:

define command {
    command_name    check_ssh_port
    command_line    $USER1$/check_ssh -H $HOSTADDRESS$ -p $ARG1$
}

For more complex scenarios, consider these additional parameters:

define command {
    command_name    check_ssh_advanced
    command_line    $USER1$/check_ssh -H $HOSTADDRESS$ -p $ARG1$ -t $ARG2$ -4
}

Before restarting Nagios, validate your config:

/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

For distributed monitoring, configure NRPE on the remote host:

command[check_ssh_custom]=/usr/lib/nagios/plugins/check_ssh -H 127.0.0.1 -p 2222
  • Verify port accessibility with telnet $HOST $PORT
  • Check firewall rules and SELinux contexts
  • Ensure the Nagios user has necessary permissions