[Xymon] Xymon security concern raised

Roland Soderstrom Rolands at logicaltech.com.au
Thu Dec 6 01:58:11 CET 2012


I have the cluster logicalhost names in hosts.cfg, don't care about the rest of the tests.
I also have the real zones running the xymonclient in that zone with all its built in monitoring.
Monitoring all cluster resources from the globalzone makes the script so much easier.

group-only ftp-rs|app-rs|ora-server-rs|ora-lsnr-rs CLUSTER-Resources
10.0.1.40      ftp01-lh # noconn
10.0.1.30      app01-lh # noconn
10.0.1.20      ora01-lh # noconn

- Roland

-----Original Message-----
From: Benjamin P. August [mailto:baugust at stanford.edu] 
Sent: Thursday, 6 December 2012 11:49 AM
To: Roland Soderstrom
Cc: xymon at xymon.com
Subject: Re: [Xymon] Xymon security concern raised

I know this is offtopic, but how did you get them to not end up as ghost clients with differing hostnames and sent-from values? I'd really love to do this for monitoring multiple ESXi machines on the internal network from one server. I tried using multihomed in hosts.cfg, but was not having much luck.

----- Original Message -----
From: "Roland Soderstrom" <Rolands at logicaltech.com.au>
To: xymon at xymon.com
Sent: Wednesday, December 5, 2012 12:51:41 PM
Subject: Re: [Xymon] Xymon security concern raised

On a side note I actually do this on purpose in my environment.
I got a Solaris Cluster running cluster resources in zoneclusters.
Instead of running ext/scripts in the zone I run them in the globalzone and fake the delivery hostname to be the zoneclusters logicalhostname.
Eg. Xymon $XYMSRV "status <zoneclusterhostname>.clustertest $COLOR `date` $Message"

Works brilliantly.

I remember a while back there was a discussion on how to encrypt the message over the xymon port 1984, that will surely prevent any false messages going through. (as false clients can't encrypt with the right key) Can't remember the outcome of the discussion.

- Roland

-----Original Message-----
From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Novosielski, Ryan
Sent: Thursday, 6 December 2012 7:39 AM
To: Steve Holmes
Cc: xymon at xymon.com
Subject: Re: [Xymon] Xymon security concern raised

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My understanding is that it's fairly easy to do, also. I don't know if having a proxy in between helps at all or any of that, but my understanding is that what's sent is fairly simple and plain text (I believe there's info about the protocol in the manual).

That said, I'm not 100% sure what nefarious thing someone could do with that information. I guess they could open the rlogin port or something and then send a status message to indicate it's still closed?

On 12/05/2012 03:20 PM, Steve Holmes wrote:
> I believe the concern is that a student or other 'non-admin' could 
> send a packet from an unconfigured workstation masquerading as a 
> configured host. I think I need to do a little more research on the 
> problem. Thanks! Steve
> 
> On Wed, Dec 5, 2012 at 12:30 PM, Tim McCloskey <tm at freedom.com 
> <mailto:tm at freedom.com>> wrote:
> 
> Not sure that can be done in Xymon currently.
> 
> So, is the concern that one of the configured hosts could pretend to 
> be one of the other configured hosts?  If not, a nice packet 
> filter/firewall allowing tcp:1984 from only the Xymon hosts -> Xymon 
> server would provide a possible fix for that.
> 
> Regards, Tim ________________________________________ From:
> xymon-bounces at xymon.com <mailto:xymon-bounces at xymon.com> 
> [xymon-bounces at xymon.com <mailto:xymon-bounces at xymon.com>] on behalf 
> of Steve Holmes [sholmes42 at mac.com <mailto:sholmes42 at mac.com>] Sent:
> Wednesday, December 05, 2012 9:14 AM To: xymon at xymon.com 
> <mailto:xymon at xymon.com> Subject: [Xymon] Xymon security concern 
> raised
> 
> I have a customer who is concerned that anyone could send data 
> messages to the xymon server with one of his host names and Xymon 
> would accept it as real thus potentially masking an attack.
> 
> Note that this is in a university environment, so even if data can 
> come only from campus addresses we might not necessarily trust the 
> data.
> 
> Is there a way to get Xymon to check the IP address on incoming data 
> packets to verify that it is coming from the host it claims to be?
> 
> Thanks, Steve Holmes Purdue University
> 
> 
> 
> 
> 
> -- If they give you ruled paper, write the other way. -Juan Ramon 
> Jimenez, poet, Nobel Prize in literature (1881-1958)
> 
> I prayed for freedom for twenty years, but received no answer until I 
> prayed with my legs. -Frederick Douglass, Former slave, abolitionist, 
> editor, and orator (1817-1895)
> 


- --
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer 
|$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC/sNIACgkQmb+gadEcsb5FcgCfck8FSSTUeliU9HOmiN+FlFbA
3WEAnioFl9s0Y+08N6V6ox5f4tNH5F6G
=1fR8
-----END PGP SIGNATURE-----

_______________________________________________
Xymon mailing list
Xymon at xymon.com
http://lists.xymon.com/mailman/listinfo/xymon
_______________________________________________
Xymon mailing list
Xymon at xymon.com
http://lists.xymon.com/mailman/listinfo/xymon


More information about the Xymon mailing list