I have a customer who is concerned that anyone could send data messages to the xymon server with one of his host names and Xymon would accept it as real thus potentially masking an attack.
Note that this is in a university environment, so even if data can come only from campus addresses we might not necessarily trust the data.
Is there a way to get Xymon to check the IP address on incoming data packets to verify that it is coming from the host it claims to be?
--status-senders is the option you'd want to look into (though I've never actually used it myself); by default Xymon accepts reports from everything about everything (although it does record the source IP, for later investigation). This is key when you have -say- a network poller returning information about the http test for your www.example.com host.
Regards, -jc
=== man xymond snippet below ===
--status-senders=IP[/MASK][,IP/MASK] Controls which hosts may send "status", "combo", "config" and "query" commands to xymond.
By default, any host can send status-updates. If this option is used,then status-updates are accepted only if they are sent by one of the IP-adresses listed here, or if they are sent from the IP-address of the host that the updates pertains to (this is to allow Xymon clients to send in their own status updates, without having to list all clients here). So typically you will need to list your servers running network tests here.
The format of this option is a list of IP-adresses, optionally with anetwork mask in the form of the number of bits. E.g. if you want to accept status-updates from the host 172.16.10.2, you would use
--status-senders=172.16.10.2
whereas if you want to accept status updates from both 172.16.10.2 andfrom all of the hosts on the 10.0.2.* network (a 24-bit IP network), you would use
--status-senders=172.16.10.2,10.0.2.0/24