Thanks Jeremy. I was thinking about using stunnel which seems more straight forward. Too bad about development being stalled. Hopefully, it will restart soon. Really need this functionality.

From: Jeremy Laidman <jeremy at laidman.org> Sent: Monday, March 15, 2021 2:40 PM To: LOZOVSKY, DANIEL <dl1025 at att.com> Cc: xymon at xymon.com Subject: Re: [Xymon] Xymon Encrypting End Points for Azure

Daniel

Transport encryption between client and server has been planned for an upcoming release. However, development appears to have stalled so I wouldn't expect anything soon.

As there is currently no native encryption, you have a few other options for this:

• use stunnel on both client and server
• configure the clients to connect using HTTPS, and install a CGI script to handle the connections
• use ssh tunnels

Some of these methods can also incorporate authentication, to improve security even further.

More on these techniques can be found here: https://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Administration_Guide#Encryption_and_Tunnelling<https://urldefense.com/v3/__https:/en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Administration_Guide*Encryption_and_Tunnelling__;Iw!!BhdT!zEsjoN0cTAxz8FVcAVFazV5guIzkmvraNFmuVR1hwaM_Tnbc6SjpaCOZUXDc7A$>

Cheers Jeremy

On Tue, 16 Mar 2021 at 07:31, LOZOVSKY, DANIEL <dl1025 at att.com<mailto:dl1025 at att.com>> wrote: I am in the process of migrating xymon to Azure client. My group need to make sure application end points are encrypted meaning that Xymon will need to use secure connection. What is the best way of accomplishing this task that you can recommend?

Xymon mailing list Xymon at xymon.com<mailto:Xymon at xymon.com> http://lists.xymon.com/mailman/listinfo/xymon<https://urldefense.com/v3/__http:/lists.xymon.com/mailman/listinfo/xymon__;!!BhdT!zEsjoN0cTAxz8FVcAVFazV5guIzkmvraNFmuVR1hwaM_Tnbc6SjpaCPCTmn4Lg$>

I've been using curl to send report to the CGI program, because I need to use encrypted connections. It doesn't scale well... I have gaps in every graph due to missing reports. I've been looking at cobbling together my own equivalent that doesn't require Apache on the Xymon server. It's slow going, though.

Ralph Mitchell

On Mon, Mar 15, 2021 at 7:08 PM Jeremy Laidman <jeremy at laidman.org> wrote:

On Tue, 16 Mar 2021 at 08:42, LOZOVSKY, DANIEL <dl1025 at att.com> wrote:

...

Thanks Jeremy. I was thinking about using stunnel which seems more straight forward. Too bad about development being stalled. Hopefully, it will restart soon. Really need this functionality.

Agreed. The other two foreshadowed features many of us are waiting for are: full support for SNMP, and IPv6.

There's actually another option for encryption that I didn't mention, but it can be really useful in some circumstances. Many years ago I wrote a script that provided an agentless deployment, and it's still in use today. It works by connecting via ssh, then pushing the Xymon client scripts from the server to the shell running on the client. The client scripts execute on the client host, and send its updates to STDOUT, which traverses the ssh connection, to be injected into the Xymon server.

I've used this technique to monitor hosts that cannot connect directly to the Xymon server, by using ssh to connect via one or more jump hosts. All it needs is a way to get a shell prompt on the client.

More info here: http://tools.rebel-it.com.au/xymon-rclient/.

J

---

Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon