In the ideal, esp. when the client may have a dynamic IP address (DHCP without reserved addresses, or mobile clients, for example), it would IMO also be really good if the client reports could optionally be signed, with a certificate the server could verify, to give some confidence as to their actually coming from the client...not that that assures that the actual client wasn't compromised, but it's better than nothing insofar as it at least gives good odds that misleading (or maliciously crafted) data from elsewhere isn't being provided.
On Mar 8, 2019, at 11:09, Axel Beckert <user-bc188e45dae4@xymon.invalid> wrote:
Hi Ralph,
On Fri, Mar 08, 2019 at 10:40:55AM -0500, Ralph Mitchell wrote:
I'd still like to see encrypted connections for Xymon client messages going
to the server.
Yeah, this definitely is a feature which would be very nice to
available out of the box.
Nevertheless you can do that already now with stunnel as I mentioned:
(And yes, I'm still hoping and waiting for IPv6 support, too,
especially in xymonnet-based checks. Reporting to IPv6-only servers is
no issue though, if you anyways use stunnel to encrypt the
client-reporting traffic.)
Debian's xymon package ships /usr/share/doc/xymon/README.encryption
with hints how to implement encrypted reporting with Xymon.
The current version can be found in our packaging git repository at
https://salsa.debian.org/debian/xymon/blob/master/debian/README.encryption
although I'm thinking about renaming it to README.encryption.md as I
wrote it in Markdown syntax.
It also refers to this more detailed documentation:
https://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Administration_Guide#Encryption_and_Tunnelling
HTH!
Kind regards, Axel
--
PGP: 2FF9CD59612616B5 /~\ Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: user-bc188e45dae4@xymon.invalid \ / Say No to HTML in E-Mail and Usenet
Mail+Jabber: user-0064bde8d49d@xymon.invalid X
https://axel.beckert.ch/ / \ I love long mails: https://email.is-not-s.ms/