On Sat, 02 Mar 2013 10:51:06 +0200, Andrey Chervonets <a.chervonets at cominder.eu> wrote:
Thanks everyone participated for interesting discussion!
Yes, securing client-server communication may be a problem. I see just 2 quite simple things, that will eliminate most of issues a) limit list of acceptable connections by IP at OS level (or may be XyMon may do this too?!) b) use ssh tunnels between client and Server - it was already described in XyMon manuals or Wiki
What all of this really boils down to is that Xymon is not designed for use in a "hostile" network. There are very few security features built into Xymon, e.g. access to the webpages is really wide-open. The only access controls are whatever you build on top of Xymon, e.g. with the Apache webserver security features.
xymond has some options to do some basic IP-level checking of who is allowed to send various commands. With this, you can restrict administrative commands (drop, disable etc.) to come from certain hosts - the Xymon webserver, probably. Same with status-updates, which are then only allowed from the monitored server itself and from network-test servers.
But IP-layer checks are fast becoming irrelevant due to proxies, NAT and IPv6.
The only way I can see to implement security in the communications to xymond, is to use SSL and then two-way certification of the connection. So SSL client- and server-certificate validation. I'm implementing this (have done so, actually) in the same style as OpenVPN - client certificates must be issued by a specifig trusted certificate authority (and not be revoked). So you setup your own CA to issue a certificate for each client installation, and then the Xymon server just checks who issued the certificate.
xymond should then use the identity given in the certificate as the name of the server sending status-updates (instead of trusting the client to use the correct hostname), but that hasn't been implemented yet.
File-level read/execute permission on the binaries is meaningless. Anyone with half a bit of Perl-knowledge can cook up a script that sends commands to xymond (you'll find it if you search the archives).
Regards, Henrik