I have the cluster logicalhost names in hosts.cfg, don't care about the rest of the tests. I also have the real zones running the xymonclient in that zone with all its built in monitoring. Monitoring all cluster resources from the globalzone makes the script so much easier.
group-only ftp-rs|app-rs|ora-server-rs|ora-lsnr-rs CLUSTER-Resources 10.0.1.40 ftp01-lh # noconn 10.0.1.30 app01-lh # noconn 10.0.1.20 ora01-lh # noconn
- Roland
-----Original Message----- From: Benjamin P. August [mailto:baugust at stanford.edu] Sent: Thursday, 6 December 2012 11:49 AM To: Roland Soderstrom Cc: xymon at xymon.com Subject: Re: [Xymon] Xymon security concern raised
I know this is offtopic, but how did you get them to not end up as ghost clients with differing hostnames and sent-from values? I'd really love to do this for monitoring multiple ESXi machines on the internal network from one server. I tried using multihomed in hosts.cfg, but was not having much luck.
----- Original Message ----- From: "Roland Soderstrom" <Rolands at logicaltech.com.au> To: xymon at xymon.com Sent: Wednesday, December 5, 2012 12:51:41 PM Subject: Re: [Xymon] Xymon security concern raised
On a side note I actually do this on purpose in my environment.
I got a Solaris Cluster running cluster resources in zoneclusters.
Instead of running ext/scripts in the zone I run them in the globalzone and fake the delivery hostname to be the zoneclusters logicalhostname.
Eg. Xymon $XYMSRV "status <zoneclusterhostname>.clustertest $COLOR date $Message"
Works brilliantly.
I remember a while back there was a discussion on how to encrypt the message over the xymon port 1984, that will surely prevent any false messages going through. (as false clients can't encrypt with the right key) Can't remember the outcome of the discussion.
- Roland
-----Original Message----- From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Novosielski, Ryan Sent: Thursday, 6 December 2012 7:39 AM To: Steve Holmes Cc: xymon at xymon.com Subject: Re: [Xymon] Xymon security concern raised
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
My understanding is that it's fairly easy to do, also. I don't know if having a proxy in between helps at all or any of that, but my understanding is that what's sent is fairly simple and plain text (I believe there's info about the protocol in the manual).
That said, I'm not 100% sure what nefarious thing someone could do with that information. I guess they could open the rlogin port or something and then send a status message to indicate it's still closed?
On 12/05/2012 03:20 PM, Steve Holmes wrote:
I believe the concern is that a student or other 'non-admin' could send a packet from an unconfigured workstation masquerading as a configured host. I think I need to do a little more research on the problem. Thanks! Steve
On Wed, Dec 5, 2012 at 12:30 PM, Tim McCloskey <tm at freedom.com <mailto:tm at freedom.com>> wrote:
Not sure that can be done in Xymon currently.
So, is the concern that one of the configured hosts could pretend to be one of the other configured hosts? If not, a nice packet filter/firewall allowing tcp:1984 from only the Xymon hosts -> Xymon server would provide a possible fix for that.
Regards, Tim ________________________________________ From: xymon-bounces at xymon.com <mailto:xymon-bounces at xymon.com> [xymon-bounces at xymon.com <mailto:xymon-bounces at xymon.com>] on behalf of Steve Holmes [sholmes42 at mac.com <mailto:sholmes42 at mac.com>] Sent: Wednesday, December 05, 2012 9:14 AM To: xymon at xymon.com <mailto:xymon at xymon.com> Subject: [Xymon] Xymon security concern raised
I have a customer who is concerned that anyone could send data messages to the xymon server with one of his host names and Xymon would accept it as real thus potentially masking an attack.
Note that this is in a university environment, so even if data can come only from campus addresses we might not necessarily trust the data.
Is there a way to get Xymon to check the IP address on incoming data packets to verify that it is coming from the host it claims to be?
Thanks, Steve Holmes Purdue University
-- If they give you ruled paper, write the other way. -Juan Ramon Jimenez, poet, Nobel Prize in literature (1881-1958)
I prayed for freedom for twenty years, but received no answer until I prayed with my legs. -Frederick Douglass, Former slave, abolitionist, editor, and orator (1817-1895)
- ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlC/sNIACgkQmb+gadEcsb5FcgCfck8FSSTUeliU9HOmiN+FlFbA 3WEAnioFl9s0Y+08N6V6ox5f4tNH5F6G =1fR8 -----END PGP SIGNATURE-----
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon