[Xymon] XyMon client binaries default security is bad

henrik at hswn.dk henrik at hswn.dk
Wed Mar 6 13:33:45 CET 2013 

On Sat, 02 Mar 2013 10:51:06 +0200, Andrey Chervonets
<a.chervonets at cominder.eu> wrote:
> Thanks everyone participated for interesting discussion!
> 
> Yes, securing client-server communication may be a problem.
> I see just 2 quite simple things, that will eliminate most of issues
> a) limit list of acceptable connections by IP at OS level (or may be 
> XyMon may do this too?!)
> b) use ssh tunnels between client and Server - it was already described 
> in XyMon manuals or Wiki

What all of this really boils down to is that Xymon is not designed for
use in a "hostile" network. There are very few security features built into
Xymon, e.g. access to the webpages is really wide-open. The only access
controls are whatever you build on top of Xymon, e.g. with the Apache
webserver security features.

xymond has some options to do some basic IP-level checking of who is
allowed to send various commands. With this, you can restrict
administrative commands (drop, disable etc.) to come from certain hosts -
the Xymon webserver, probably. Same with status-updates, which are then
only allowed from the monitored server itself and from network-test
servers.

But IP-layer checks are fast becoming irrelevant due to proxies, NAT and
IPv6.


The only way I can see to implement security in the communications to
xymond, is to use SSL and then two-way certification of the connection. So
SSL client- and server-certificate validation. I'm implementing this (have
done so, actually) in the same style as OpenVPN - client certificates must
be issued by a specifig trusted certificate authority (and not be revoked).
So you setup your own CA to issue a certificate for each client
installation, and then the Xymon server just checks who issued the
certificate.

xymond should then use the identity given in the certificate as the name
of the server sending status-updates (instead of trusting the client to use
the correct hostname), but that hasn't been implemented yet.


File-level read/execute permission on the binaries is meaningless. Anyone
with half a bit of Perl-knowledge can cook up a script that sends commands
to xymond (you'll find it if you search the archives).


Regards,
Henrik

More information about the Xymon mailing list