[hobbit] Securing Xymon Over Internet
Bill Arlofski
waa-hobbitml at revpol.com
Mon Feb 16 17:45:17 CET 2009
> Hi XyMonsters!
>
> I need to monitor several satellite sites with XyMon. These sites are not available on our local LAN so I have to go via the internet. I am a bit hesitant to open the ports etc since the information collected can be used in foot printing the system. How would I go about securing the service so that xymons information does not fall into the wrong hands?
>
> Regards
>
> Neil
Hi Neil... I just recently did this same thing. At sites where I do not have
a VPN, I have found that stunnel is the best/easiest way to do go.
On the client site (your remote sites) stunnel running in client mode can
listen on an arbitrary port (I chose 11984) and then send the data ENCRYPTED
to an stunnel running in server mode at your central site. The server mode
stunnel then sends the unencrypted data to your central xymon server on port 1984.
Here's a cheesy ASCII diagram:
(Remote xymon server)
~xymon/server/etc/hobitserver.cfg:
BBDISP=0.0.0.0
BBDISPLAYS="ip.of.client.xymon 127.0.0.1:11984"
stunnel: in CLIENT mode (default)
listen=127.0.0.1:11984 (unencrypted data in)
connect=your.firewall.ip:11984 (encrypted data out)
|
V
Client's firewall (allow server out on 11984/TCP to your firewall IP)
|
V
INTERNET
|
V
Your firewall (allow client's firewall IP in on 11984/TCP to your server)
|
V
your server running
stunnel & xymon
|
V
stunnel: in SERVER mode
listen=127.0.0.1:11984 (encrypted data in)
connect=127.0.0.1:1984 (unencrypted data out to central xymon server)
This should take about 1/2 hour to 45 minutes to do. Thanks to the stunnel
people, it is that simple.
Hope this helps!
--
Bill Arlofski
Reverse Polarity, LLC
http://www.revpol.com/
More information about the Xymon
mailing list