[Xymon] Encrypted Xymon reporting over SSL using stunnel

Stephane Bakhos nuitari at nuitari.net
Sat Mar 9 04:17:09 CET 2019


I just make sure I have a VPN or a private LAN between whatever machine 
runs the xymon client and the xymon server.

On Fri, 8 Mar 2019, Bruce Ferrell wrote:

> Date: Fri, 8 Mar 2019 18:10:15 -0800
> From: Bruce Ferrell <bferrell at baywinds.org>
> To: xymon at xymon.com
> Subject: Re: [Xymon] Encrypted Xymon reporting over SSL using stunnel
> 
>
> I'm not sure which standard is in use here, so I'll just top post like 
> Richard did.  Please don't shoot me.
>
>
> People always go for certs... And then they expire and stuff starts breaking 
> or alerting right and left all at once.  GACK!
>
> For real hilarity, make them expire ten years out.  By that time, no one even 
> remembers that certs were even installed or what they're for.  As the home 
> loan industry said right 
> before the big crash, IBG, UBG (I be gone, you be gone).
>
> From one who has had to deal with such mass silliness, take it from me, it's 
> NO FUN and REALLY tedious to fix.
>
> "But I'll just use the cert for tunnel authentication" I hear you say... If 
> in-authentic communication (even self signed) isn't denied, do we care if 
> it's signed really?   If we do 
> care then we deny communication/ignore messages. Now we've lost reporting 
> links and visibility.
>
> Some form of message authentication is probably a good idea though.  Just 
> something that doesn't expire and can be revoked as needed.  gpg/pgp keys 
> maybe, but then we get the issue 
> of gpg/pgp key distribution/signing.  Key per monitored system... Anyone want 
> to manage THAT?
>
>
>
>
> On 3/8/19 11:28 AM, Richard L. Hamilton wrote:
>> In the ideal, esp. when the client may have a dynamic IP address (DHCP 
> without reserved addresses, or mobile clients, for example), it would IMO 
> also be really good if the client reports could optionally be signed, with a 
> certificate the server could verify, to give some confidence as to their 
> actually coming from the client...not that that assures that the actual 
> client wasn't compromised, but it's better than nothing insofar as it at 
> least gives good odds that misleading (or maliciously crafted) data from 
> elsewhere isn't being provided.
>>
>>> On Mar 8, 2019, at 11:09, Axel Beckert <abe at deuxchevaux.org> wrote:
>>>
>>> Hi Ralph,
>>>
>>> On Fri, Mar 08, 2019 at 10:40:55AM -0500, Ralph Mitchell wrote:
>>>> I'd still like to see encrypted connections for Xymon client messages 
> going
>>>> to the server.
>>> Yeah, this definitely is a feature which would be very nice to
>>> available out of the box.
>>>
>>> Nevertheless you can do that already now with stunnel as I mentioned:
>>>
>>>>> (And yes, I'm still hoping and waiting for IPv6 support, too,
>>>>> especially in xymonnet-based checks. Reporting to IPv6-only servers is
>>>>> no issue though, if you anyways use stunnel to encrypt the
>>>>> client-reporting traffic.)
>>> Debian's xymon package ships /usr/share/doc/xymon/README.encryption
>>> with hints how to implement encrypted reporting with Xymon.
>>>
>>> The current version can be found in our packaging git repository at
>>> https://salsa.debian.org/debian/xymon/blob/master/debian/README.encryption
>>> although I'm thinking about renaming it to README.encryption.md as I
>>> wrote it in Markdown syntax.
>>>
>>> It also refers to this more detailed documentation:
>>> 
> https://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Administration_Guide#Encryption_and_Tunnelling
>>>
>>> HTH!
>>>
>>> 		Kind regards, Axel
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>


More information about the Xymon mailing list