[Xymon] XyMon client binaries default security is bad

Andrey Chervonets a.chervonets at cominder.eu
Sat Mar 2 09:51:06 CET 2013


Thanks everyone participated for interesting discussion!

Yes, securing client-server communication may be a problem.
I see just 2 quite simple things, that will eliminate most of issues
a) limit list of acceptable connections by IP at OS level (or may be 
XyMon may do this too?!)
b) use ssh tunnels between client and Server - it was already described 
in XyMon manuals or Wiki

All other cases when someone will try to send report "on behalf of" real 
client - are more complicated and require some networking skills and 
special reasons.

My concern regarding  read and execute permission to everyone on client 
host - was just prevent other then xymon users  to try and play with 
xymon tools.
If anyone see it can execute anything - it can try to do something just 
for interest, for example to send "drop .."  request",
just to test System security and sysadmin ability to track exceptions.

I think this can be easy fixed, for example with 1 find execution after 
installation done:
find client/ -exec chmod o-rwx {} \;
or just:
find client/bin -exec chmod o-rwx {} \;    # if someone see others 
should see some output generated.


Best regards,

Andrey Chervonets
----------------------
CoMinder SIA.
http://www.cominder.eu/
Mobile: +371 26517848
Fax: +371 66066346




More information about the Xymon mailing list