[Xymon] Xymon security concern raised

Steve Holmes sholmes42 at mac.com
Wed Dec 5 21:04:27 CET 2012


Thanks.

I tried that and started getting a lot of refused messages referencing the
monitored systems.
I forgot to mention that this is release 4.2.3. If it is different in 4.3.x
then I will have to wait a couple of months.

 I see:

"... or if they are sent from the IP-address of
the host that the updates pertains to (this is to allow Xymon clients
to send in their own status updates, without having to list all
clients here)

This seems to say that any value in --status-senders triggers this behavior
(which is the way I interpreted it), but apparently that is not the case.
At least not in 4.2.3.

Anything I'm missing? If there is some other value I need in there, like a
network mask for all the networks all of my xymon clients are on (hundreds
probably, I don't know), I don't think it will work for me.

Thanks,
Steve

On Wed, Dec 5, 2012 at 12:34 PM, <cleaver at terabithia.org> wrote:

> > I have a customer who is concerned that anyone could send data messages
> to
> > the xymon server with one of his host names and Xymon would accept it as
> > real thus potentially masking an attack.
> >
> > Note that this is in a university environment, so even if data can come
> > only from campus addresses we might not necessarily trust the data.
> >
> > Is there a way to get Xymon to check the IP address on incoming data
> > packets to verify that it is coming from the host it claims to be?
> >
>
> --status-senders is the option you'd want to look into (though I've never
> actually used it myself); by default Xymon accepts reports from everything
> about everything (although it does record the source IP, for later
> investigation). This is key when you have -say- a network poller returning
> information about the http test for your www.example.com host.
>
> Regards,
> -jc
>
>
>
> === man xymond snippet below ===
>
>
> --status-senders=IP[/MASK][,IP/MASK]
>     Controls which hosts may send "status", "combo", "config" and "query"
> commands to xymond.
>
>     By default, any host can send status-updates. If this option is used,
> then status-updates are accepted only if they are sent by one of the
> IP-adresses listed here, or if they are sent from the IP-address of
> the host that the updates pertains to (this is to allow Xymon clients
> to send in their own status updates, without having to list all
> clients here). So typically you will need to list your servers running
> network tests here.
>
>     The format of this option is a list of IP-adresses, optionally with a
> network mask in the form of the number of bits. E.g. if you want to
> accept status-updates from the host 172.16.10.2, you would use
>
>         --status-senders=172.16.10.2
>     whereas if you want to accept status updates from both 172.16.10.2 and
> from all of the hosts on the 10.0.2.* network (a 24-bit IP network),
> you would use
>
>         --status-senders=172.16.10.2,10.0.2.0/24
>
>


-- 
If they give you ruled paper, write the other way. -Juan Ramon Jimenez,
poet, Nobel Prize in literature (1881-1958)

I prayed for freedom for twenty years, but received no answer until I
prayed with my legs. -Frederick Douglass, Former slave, abolitionist,
editor, and orator (1817-1895)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20121205/09611058/attachment.html>


More information about the Xymon mailing list