Xymon Mailing List Archive search

TCP Wrappers for xymond

list Asif Iqbal
Wed, 30 Jul 2014 06:58:39 -0400
Message-Id: <CAOHBbgXHo1OoCTYC6RMk=user-acfdc7403713@xymon.invalid>

On Wed, Jul 30, 2014 at 2:59 AM, Jeremy Laidman <user-71895fb2e44c@xymon.invalid>
wrote:

Hiya

I'm planning on deploying a Xymon server on the Internet, and would like
to lock it down as much as possible.  I'll be creating iptables rules to
limit access to port 1984.  However, I'd really like to have a fallback
protection mechanism, in case (or for when) the iptables rules are not
being applied, or are misconfigured.

It seems to me that the use of libwrap (TCP wrappers) would suit me
nicely, so that I could add hosts into /etc/hosts.allow as required.  I
will already be using this for other services such as ssh.

However, there doesn't appear to be a simple way for xymond to use
libwrap.  From what I understand, there are two ways to achieve TCP wrapper
support: one way is to compile the daemon to dynamically link to the
libwrap library; the other is to run the daemon from inetd/xinetd.  Neither
of these seem to be available for xymond.

Can anyone suggest a simple way to do this?  Would it be easy to recompile
xymond with libwrap support?  In the back of my mind, I seem to recall that
the libwrap library re-implements all of the socket calls from libc, and so
maybe all that's required is to have "-lwrap" before "-lc" in a Makefile
somewhere.

One idea that came to mind is to have xymond listen only on 127.0.0.1
only, and have xinetd listening on 0.0.0.0, which then connects any
incoming socket to 127.0.0.1 (using the "redirect" config options).  But
this is a bit too message for my liking, because I don't want my operations
staff confused by the extra complexity.  Also, I suspect this will provide
a reduction in throughput when compared to xymond listening directly, not
only due to the extra connection overhead, but also perhaps limiting
xymond's ability to do any clever things like pre-forking.  Also the extra
logging might cause a backlog.  Or maybe I'm worrying about nothing, and
this is a perfectly elegant solution.

The best I could hope for, would be explicit support for compiling it in,
perhaps with "--with-libwrap" and "--without-libwrap" options for configure.

Cheers
 Jeremy

OR you could use tcpserver which does not require recompiling xymond.


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?