Hi XyMonsters!
I need to monitor several satellite sites with XyMon. These sites are not available on our local LAN so I have to go via the internet. I am a bit hesitant to open the ports etc since the information collected can be used in foot printing the system. How would I go about securing the service so that xymons information does not fall into the wrong hands?
Regards
Neil
Hi Neil... I just recently did this same thing. At sites where I do not have a VPN, I have found that stunnel is the best/easiest way to do go.
On the client site (your remote sites) stunnel running in client mode can listen on an arbitrary port (I chose 11984) and then send the data ENCRYPTED to an stunnel running in server mode at your central site. The server mode stunnel then sends the unencrypted data to your central xymon server on port 1984.
Here's a cheesy ASCII diagram:
(Remote xymon server) ~xymon/server/etc/hobitserver.cfg: BBDISP=0.0.0.0 BBDISPLAYS="ip.of.client.xymon 127.0.0.1:11984"
stunnel: in CLIENT mode (default) listen=127.0.0.1:11984 (unencrypted data in) connect=your.firewall.ip:11984 (encrypted data out) | V Client's firewall (allow server out on 11984/TCP to your firewall IP) | V INTERNET | V Your firewall (allow client's firewall IP in on 11984/TCP to your server) | V your server running stunnel & xymon | V stunnel: in SERVER mode listen=127.0.0.1:11984 (encrypted data in) connect=127.0.0.1:1984 (unencrypted data out to central xymon server)
This should take about 1/2 hour to 45 minutes to do. Thanks to the stunnel people, it is that simple.
Hope this helps!
-- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/