Xymon Mailing List Archive search

Security without FQDN?

2 messages in this thread

list John Horne · Fri, 11 May 2012 12:50:45 +0100 · 
Hello,

Using Xymon 4.3.7 I have been trying to secure the xymon server, and
have been looking at the various 'senders' options of xymond. Having set
these options I then got several purple reports. The xymond logfile
indicated that messages were being refused from hosts, despite the
xymond man page saying that status messages would be accepted from the
hosts to which they relate. Example:

  2012-05-11 12:20:39 Refused message from 141.163.162.11: usermsg
  jhvm2.sec.1336735239123422 add id=1336735239 expire=1336737639
  jhvm2.sec green Fri May 11 12:20:39 BST 2012 \n&green dummy
  2012-05-11 12:20:39 Invalid user message - sender 141.163.162.11 not
  allowed for host jhvm2.sec.1336735239123422

The hosts.cfg file shows:

  141.163.162.11  jhvm2   # testip conn files sec...

The tasks.cfg file for xymond uses the option
'--status-senders=$XYMONSERVERIP'.

So according to the xymond man page, because '--status-senders' is set,
status reports from 141.163.162.11 for host 'jhvm2' should be accepted
(since they are the same host).

My only though here is how xymond is doing the security check. Is it
checking the IP address against the name, and/or the name against the IP
address? Since we are not using FQDN names, the DNS is not going to be
useful, but a host check of the name 'jhvm2' should return the IP
address since it is listed in the /etc/hosts file.

Any thoughts?


John.

-- 
John Horne                   Tel: +XX (X)XXXX XXXXXX
Plymouth University, UK      Fax: +XX (X)XXXX XXXXXX
list John Horne · Fri, 11 May 2012 13:29:16 +0100 ·
quoted from John Horne
On Fri, 2012-05-11 at 12:50 +0100, John Horne wrote:
Hello,

Using Xymon 4.3.7 I have been trying to secure the xymon server, and
have been looking at the various 'senders' options of xymond. Having set
these options I then got several purple reports. The xymond logfile
indicated that messages were being refused from hosts, despite the
xymond man page saying that status messages would be accepted from the
hosts to which they relate. Example:

  2012-05-11 12:20:39 Refused message from 141.163.162.11: usermsg
  jhvm2.sec.1336735239123422 add id=1336735239 expire=1336737639
  jhvm2.sec green Fri May 11 12:20:39 BST 2012 \n&green dummy
  2012-05-11 12:20:39 Invalid user message - sender 141.163.162.11 not
  allowed for host jhvm2.sec.1336735239123422

Hmm. Just realised that these are 'usermsg' messages. Since the usermsg
format basically only includes an ID and then whatever else we want,
xymon has no way of knowing what the 'host' is (as evidenced by the
message showing the host as 'jhvm2.sec.1336735239123422' when in fact
this is the ID).

I'm wondering if that in order to use usermsgs, and secure Xymon, we
will have to explicitly list all the IP addresses of our hosts (in
tasks.cfg with the '--status-senders' option.
quoted from John Horne


John.

-- 
John Horne                   Tel: +XX (X)XXXX XXXXXX
Plymouth University, UK      Fax: +XX (X)XXXX XXXXXX