NagMon logo NagMon
  1. Home
  2. Guides
  3. Secure Remote Access to Nagios
Nagios Guides · Security

Secure Remote Access to Your Nagios Server

Your monitoring server is a map of your infrastructure and, with command access, a set of levers on it. Here's how to reach it from anywhere — phone included — without handing that map to the internet.

Updated July 2026 · Applies to Nagios Core 4.x

On this page
  1. What's actually at stake
  2. Option 1: VPN (recommended)
  3. Option 2: publish over HTTPS
  4. Strengthening authentication
  5. Read-only accounts
  6. What not to do
  7. The checklist

What's actually at stake

A Nagios web interface leaks more than status colors. Host names, IP addresses, service inventory, plugin output containing paths and versions — it's reconnaissance gold. And an account with command authorization can disable checks and notifications, schedule downtime, and submit external commands. Treat access to Nagios like access to a management console, because that's what it is.

Option 1: VPN — the recommended default

The cleanest answer is to not publish Nagios at all: keep it on the internal network and give your devices a secure path in.

Over a VPN, your phone reaches the server exactly as if it were on the LAN — a mobile client like NagMon connects with the internal hostname, and nothing about your monitoring is internet-facing. Even then, keep HTTPS on: encryption inside the perimeter costs nothing.

Option 2: publish over HTTPS

Sometimes a VPN isn't practical. If you do expose the web interface, do all of the following, not a subset:

TLS with a real certificate

Let's Encrypt makes this a ten-minute job on the Apache server that already fronts Nagios:

sudo apt install certbot python3-certbot-apache
sudo certbot --apache -d nagios.example.com

Certbot configures the vhost and renews automatically. Then redirect or disable plain HTTP — Basic auth over HTTP sends credentials effectively in the clear on every request.

Restrict what's reachable

Skip the security theater: a non-standard port hides nothing from a scanner and breaks nothing for an attacker. Spend the effort on TLS, auth, and allowlists instead.

Strengthening authentication

Read-only accounts

Authorization lives in cgi.cfg, and it's worth being deliberate: viewing status and submitting commands are separate privileges. For an account you use from a phone on the road — or for a wall dashboard — a read-only user limits the blast radius of a lost credential:

# cgi.cfg
authorized_for_all_hosts=rvetter,dashboard
authorized_for_all_services=rvetter,dashboard
authorized_for_all_host_commands=rvetter
authorized_for_all_service_commands=rvetter
authorized_for_read_only=dashboard

Here dashboard can see everything but change nothing, while rvetter keeps full command rights — able to acknowledge and schedule downtime from the app. The JSON API honors the same authorization, so a read-only user's API access is read-only too (details).

What not to do

The checklist

NagMon app icon

Locked down? Now make it usable.

NagMon connects over HTTPS or your VPN, supports Basic and Digest auth, and keeps everything on-device. Free on the App Store.

Download NagMon