Xymon Encrypting End Points for Azure
list Daniel Lozovsky
I am in the process of migrating xymon to Azure client. My group need to make sure application end points are encrypted meaning that Xymon will need to use secure connection. What is the best way of accomplishing this task that you can recommend?
list Jeremy Laidman
Daniel Transport encryption between client and server has been planned for an upcoming release. However, development appears to have stalled so I wouldn't expect anything soon. As there is currently no native encryption, you have a few other options for this: * use stunnel on both client and server * configure the clients to connect using HTTPS, and install a CGI script to handle the connections * use ssh tunnels Some of these methods can also incorporate authentication, to improve security even further. More on these techniques can be found here: https://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Administration_Guide#Encryption_and_Tunnelling Cheers Jeremy
▸
On Tue, 16 Mar 2021 at 07:31, LOZOVSKY, DANIEL <user-5085da3588ee@xymon.invalid> wrote:
I am in the process of migrating xymon to Azure client. My group need to make sure application end points are encrypted meaning that Xymon will need to use secure connection. What is the best way of accomplishing this task that you can recommend?
list Daniel Lozovsky
Thanks Jeremy. I was thinking about using stunnel which seems more straight forward. Too bad about development being stalled. Hopefully, it will restart soon. Really need this functionality.
▸
From: Jeremy Laidman <user-0608abae5e7c@xymon.invalid>
Sent: Monday, March 15, 2021 2:40 PM
To: LOZOVSKY, DANIEL <user-5085da3588ee@xymon.invalid>
Cc: xymon at xymon.com
Subject: Re: [Xymon] Xymon Encrypting End Points for Azure
Daniel
Transport encryption between client and server has been planned for an upcoming release. However, development appears to have stalled so I wouldn't expect anything soon.
As there is currently no native encryption, you have a few other options for this:
* use stunnel on both client and server
* configure the clients to connect using HTTPS, and install a CGI script to handle the connections
* use ssh tunnels
Some of these methods can also incorporate authentication, to improve security even further.
More on these techniques can be found here:https://en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Administration_Guide#Encryption_and_Tunnelling<https://urldefense.com/v3/__https:/en.wikibooks.org/wiki/System_Monitoring_with_Xymon/Administration_Guide*Encryption_and_Tunnelling__;Iw!!BhdT!zEsjoN0cTAxz8FVcAVFazV5guIzkmvraNFmuVR1hwaM_Tnbc6SjpaCOZUXDc7A$>;
▸
Cheers
Jeremy
On Tue, 16 Mar 2021 at 07:31, LOZOVSKY, DANIEL <user-5085da3588ee@xymon.invalid<mailto:user-5085da3588ee@xymon.invalid>> wrote:
I am in the process of migrating xymon to Azure client. My group need to make sure application end points are encrypted meaning that Xymon will need to use secure connection. What is the best way of accomplishing this task that you can recommend?
list Jeremy Laidman
▸
On Tue, 16 Mar 2021 at 08:42, LOZOVSKY, DANIEL <user-5085da3588ee@xymon.invalid> wrote:
Thanks Jeremy. I was thinking about using stunnel which seems more straight forward. Too bad about development being stalled. Hopefully, it will restart soon. Really need this functionality.
Agreed. The other two foreshadowed features many of us are waiting for are: full support for SNMP, and IPv6. There's actually another option for encryption that I didn't mention, but it can be really useful in some circumstances. Many years ago I wrote a script that provided an agentless deployment, and it's still in use today. It works by connecting via ssh, then pushing the Xymon client scripts from the server to the shell running on the client. The client scripts execute on the client host, and send its updates to STDOUT, which traverses the ssh connection, to be injected into the Xymon server. I've used this technique to monitor hosts that cannot connect directly to the Xymon server, by using ssh to connect via one or more jump hosts. All it needs is a way to get a shell prompt on the client. More info here: http://tools.rebel-it.com.au/xymon-rclient/. J
list Ralph Mitchell
I've been using curl to send report to the CGI program, because I need to use encrypted connections. It doesn't scale well... I have gaps in every graph due to missing reports. I've been looking at cobbling together my own equivalent that doesn't require Apache on the Xymon server. It's slow going, though. Ralph Mitchell
▸
On Mon, Mar 15, 2021 at 7:08 PM Jeremy Laidman <user-0608abae5e7c@xymon.invalid> wrote:
On Tue, 16 Mar 2021 at 08:42, LOZOVSKY, DANIEL <user-5085da3588ee@xymon.invalid> wrote:Thanks Jeremy. I was thinking about using stunnel which seems more straight forward. Too bad about development being stalled. Hopefully, it will restart soon. Really need this functionality.Agreed. The other two foreshadowed features many of us are waiting for are: full support for SNMP, and IPv6. There's actually another option for encryption that I didn't mention, but it can be really useful in some circumstances. Many years ago I wrote a script that provided an agentless deployment, and it's still in use today. It works by connecting via ssh, then pushing the Xymon client scripts from the server to the shell running on the client. The client scripts execute on the client host, and send its updates to STDOUT, which traverses the ssh connection, to be injected into the Xymon server. I've used this technique to monitor hosts that cannot connect directly to the Xymon server, by using ssh to connect via one or more jump hosts. All it needs is a way to get a shell prompt on the client. More info here: http://tools.rebel-it.com.au/xymon-rclient/. J