Securing Xymon Over Internet
Hi XyMonsters!
I need to monitor several satellite sites with XyMon. These sites are not available on our local LAN so I have to go via the internet. I am a bit hesitant to open the ports etc since the information collected can be used in foot printing the system. How would I go about securing the service so that xymons information does not fall into the wrong hands?
Regards
Neil
Would it be possible to set up VPN:s to the remote locations? That way you can have a secure connection over the internet, transparent to Xymon. There are a number of free solutions available, i.e. OpenVPN.
/Johan
From: Neil Franken [mailto:nfranken at theunlimitedworld.co.za] Sent: den 10 februari 2009 09:07 To: hobbit at hswn.dk Subject: [hobbit] Securing Xymon Over Internet
Hi XyMonsters!
I need to monitor several satellite sites with XyMon. These sites are not available on our local LAN so I have to go via the internet. I am a bit hesitant to open the ports etc since the information collected can be used in foot printing the system. How would I go about securing the service so that xymons information does not fall into the wrong hands?
Regards
Neil
Hi Johan
Will check it out. Is there any other alternatives? I just need to have a plan A,B and C to present to the bean counters.
Regards
Neil
From: Johan Sjöberg [mailto:johan.sjoberg at deltamanagement.se] Sent: 10 February 2009 11:57 AM To: hobbit at hswn.dk Subject: RE: [hobbit] Securing Xymon Over Internet
Would it be possible to set up VPN:s to the remote locations? That way you can have a secure connection over the internet, transparent to Xymon. There are a number of free solutions available, i.e. OpenVPN.
/Johan
From: Neil Franken [mailto:nfranken at theunlimitedworld.co.za] Sent: den 10 februari 2009 09:07 To: hobbit at hswn.dk Subject: [hobbit] Securing Xymon Over Internet
Hi XyMonsters!
I need to monitor several satellite sites with XyMon. These sites are not available on our local LAN so I have to go via the internet. I am a bit hesitant to open the ports etc since the information collected can be used in foot printing the system. How would I go about securing the service so that xymons information does not fall into the wrong hands?
Regards
Neil
On Tue, Feb 10, 2009 at 12:15, Neil Franken <nfranken at theunlimitedworld.co.za> wrote:
Hi Johan
Will check it out. Is there any other alternatives? I just need to have a plan A,B and C to present to the bean counters.
Your options are basically either:
a) VPN (pick your solution)
b) SSH tunnel
-- Please keep list traffic on the list.
Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche
The two options I know of are ssh and VPN, as was said. Depending on your network hardware a VPN should be very easy but ssh is a great fallback (who doesn't have ssh open!?)
On 2/10/09, Rob MacGregor <rob.macgregor at gmail.com> wrote:
On Tue, Feb 10, 2009 at 12:15, Neil Franken <nfranken at theunlimitedworld.co.za> wrote:
Hi Johan
Will check it out. Is there any other alternatives? I just need to have a plan A,B and C to present to the bean counters.
Your options are basically either:
a) VPN (pick your solution)
b) SSH tunnel
-- Please keep list traffic on the list.
Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373
Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
Hi XyMonsters!
I need to monitor several satellite sites with XyMon. These sites are not available on our local LAN so I have to go via the internet. I am a bit hesitant to open the ports etc since the information collected can be used in foot printing the system. How would I go about securing the service so that xymons information does not fall into the wrong hands?
Regards
Neil
Hi Neil... I just recently did this same thing. At sites where I do not have a VPN, I have found that stunnel is the best/easiest way to do go.
On the client site (your remote sites) stunnel running in client mode can listen on an arbitrary port (I chose 11984) and then send the data ENCRYPTED to an stunnel running in server mode at your central site. The server mode stunnel then sends the unencrypted data to your central xymon server on port 1984.
Here's a cheesy ASCII diagram:
(Remote xymon server) ~xymon/server/etc/hobitserver.cfg: BBDISP=0.0.0.0 BBDISPLAYS="ip.of.client.xymon 127.0.0.1:11984"
stunnel: in CLIENT mode (default) listen=127.0.0.1:11984 (unencrypted data in) connect=your.firewall.ip:11984 (encrypted data out) | V Client's firewall (allow server out on 11984/TCP to your firewall IP) | V INTERNET | V Your firewall (allow client's firewall IP in on 11984/TCP to your server) | V your server running stunnel & xymon | V stunnel: in SERVER mode listen=127.0.0.1:11984 (encrypted data in) connect=127.0.0.1:1984 (unencrypted data out to central xymon server)
This should take about 1/2 hour to 45 minutes to do. Thanks to the stunnel people, it is that simple.
Hope this helps!
-- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/
On Tue, Feb 10, 2009 at 10:06:39AM +0200, Neil Franken wrote:
I need to monitor several satellite sites with XyMon. These sites are not available on our local LAN so I have to go via the internet. I am a bit hesitant to open the ports etc since the information collected can be used in foot printing the system. How would I go about securing the service so that xymons information does not fall into the wrong hands?
For a solution now, OpenVPN would be my suggestion - it is very easy to setup, uses standard OpenSSL encryption with digital certificates for authentication, and has a nice price ($ 0,00). Plus you get a true VPN connection to the server, so if need be you can SSH to the remote servers through the VPN tunnel - or rdesktop, if they are Windows servers.
In the slightly longer run, the Xymon clients will know how to use an SSL-encrypted connection to the Xymon server. This is planned for one of the releases that will show up over the coming months (see my announcement from yesterday).
Regards, Henrik
participants (6)
-
henrik@hswn.dk
-
johan.sjoberg@deltamanagement.se
-
josh@imaginenetworksllc.com
-
nfranken@theunlimitedworld.co.za
-
rob.macgregor@gmail.com
-
waa-hobbitml@revpol.com