[Xymon] TCP Wrappers for xymond

Asif Iqbal vadud3 at gmail.com
Wed Jul 30 12:58:39 CEST 2014


On Wed, Jul 30, 2014 at 2:59 AM, Jeremy Laidman <jlaidman at rebel-it.com.au>
wrote:

> Hiya
>
> I'm planning on deploying a Xymon server on the Internet, and would like
> to lock it down as much as possible.  I'll be creating iptables rules to
> limit access to port 1984.  However, I'd really like to have a fallback
> protection mechanism, in case (or for when) the iptables rules are not
> being applied, or are misconfigured.
>
> It seems to me that the use of libwrap (TCP wrappers) would suit me
> nicely, so that I could add hosts into /etc/hosts.allow as required.  I
> will already be using this for other services such as ssh.
>
> However, there doesn't appear to be a simple way for xymond to use
> libwrap.  From what I understand, there are two ways to achieve TCP wrapper
> support: one way is to compile the daemon to dynamically link to the
> libwrap library; the other is to run the daemon from inetd/xinetd.  Neither
> of these seem to be available for xymond.
>
> Can anyone suggest a simple way to do this?  Would it be easy to recompile
> xymond with libwrap support?  In the back of my mind, I seem to recall that
> the libwrap library re-implements all of the socket calls from libc, and so
> maybe all that's required is to have "-lwrap" before "-lc" in a Makefile
> somewhere.
>
> One idea that came to mind is to have xymond listen only on 127.0.0.1
> only, and have xinetd listening on 0.0.0.0, which then connects any
> incoming socket to 127.0.0.1 (using the "redirect" config options).  But
> this is a bit too message for my liking, because I don't want my operations
> staff confused by the extra complexity.  Also, I suspect this will provide
> a reduction in throughput when compared to xymond listening directly, not
> only due to the extra connection overhead, but also perhaps limiting
> xymond's ability to do any clever things like pre-forking.  Also the extra
> logging might cause a backlog.  Or maybe I'm worrying about nothing, and
> this is a perfectly elegant solution.
>
> The best I could hope for, would be explicit support for compiling it in,
> perhaps with "--with-libwrap" and "--without-libwrap" options for configure.
>
> Cheers
>  Jeremy
>



OR you could use tcpserver which does not require recompiling xymond.




>
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
>


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20140730/e01d7c31/attachment.html>


More information about the Xymon mailing list