[Xymon] Xymon security concern raised
cleaver at terabithia.org
cleaver at terabithia.org
Wed Dec 5 18:34:59 CET 2012
> I have a customer who is concerned that anyone could send data messages to
> the xymon server with one of his host names and Xymon would accept it as
> real thus potentially masking an attack.
>
> Note that this is in a university environment, so even if data can come
> only from campus addresses we might not necessarily trust the data.
>
> Is there a way to get Xymon to check the IP address on incoming data
> packets to verify that it is coming from the host it claims to be?
>
--status-senders is the option you'd want to look into (though I've never
actually used it myself); by default Xymon accepts reports from everything
about everything (although it does record the source IP, for later
investigation). This is key when you have -say- a network poller returning
information about the http test for your www.example.com host.
Regards,
-jc
=== man xymond snippet below ===
--status-senders=IP[/MASK][,IP/MASK]
Controls which hosts may send "status", "combo", "config" and "query"
commands to xymond.
By default, any host can send status-updates. If this option is used,
then status-updates are accepted only if they are sent by one of the
IP-adresses listed here, or if they are sent from the IP-address of
the host that the updates pertains to (this is to allow Xymon clients
to send in their own status updates, without having to list all
clients here). So typically you will need to list your servers running
network tests here.
The format of this option is a list of IP-adresses, optionally with a
network mask in the form of the number of bits. E.g. if you want to
accept status-updates from the host 172.16.10.2, you would use
--status-senders=172.16.10.2
whereas if you want to accept status updates from both 172.16.10.2 and
from all of the hosts on the 10.0.2.* network (a 24-bit IP network),
you would use
--status-senders=172.16.10.2,10.0.2.0/24
More information about the Xymon
mailing list