[Xymon] TCP Wrappers for xymond

Jeremy Laidman jlaidman at rebel-it.com.au
Wed Jul 30 08:59:46 CEST 2014


Hiya

I'm planning on deploying a Xymon server on the Internet, and would like to
lock it down as much as possible.  I'll be creating iptables rules to limit
access to port 1984.  However, I'd really like to have a fallback
protection mechanism, in case (or for when) the iptables rules are not
being applied, or are misconfigured.

It seems to me that the use of libwrap (TCP wrappers) would suit me nicely,
so that I could add hosts into /etc/hosts.allow as required.  I will
already be using this for other services such as ssh.

However, there doesn't appear to be a simple way for xymond to use libwrap.
 From what I understand, there are two ways to achieve TCP wrapper support:
one way is to compile the daemon to dynamically link to the libwrap
library; the other is to run the daemon from inetd/xinetd.  Neither of
these seem to be available for xymond.

Can anyone suggest a simple way to do this?  Would it be easy to recompile
xymond with libwrap support?  In the back of my mind, I seem to recall that
the libwrap library re-implements all of the socket calls from libc, and so
maybe all that's required is to have "-lwrap" before "-lc" in a Makefile
somewhere.

One idea that came to mind is to have xymond listen only on 127.0.0.1 only,
and have xinetd listening on 0.0.0.0, which then connects any incoming
socket to 127.0.0.1 (using the "redirect" config options).  But this is a
bit too message for my liking, because I don't want my operations staff
confused by the extra complexity.  Also, I suspect this will provide a
reduction in throughput when compared to xymond listening directly, not
only due to the extra connection overhead, but also perhaps limiting
xymond's ability to do any clever things like pre-forking.  Also the extra
logging might cause a backlog.  Or maybe I'm worrying about nothing, and
this is a perfectly elegant solution.

The best I could hope for, would be explicit support for compiling it in,
perhaps with "--with-libwrap" and "--without-libwrap" options for configure.

Cheers
Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20140730/d025d23b/attachment.html>


More information about the Xymon mailing list