Securing Xymon Over Internet 🔗 link

Hi XyMonsters!

 
I need to monitor several satellite sites with XyMon. These sites are
not available on our local LAN so I have to go via the internet. I am a
bit hesitant to open the ports etc since the information collected can
be used in foot printing the system. How would I go about securing the
service so that xymons information does not fall into the wrong hands?

 
Regards

Neil

Would it be possible to set up VPN:s to the remote locations? That way you can have a secure connection over the internet, transparent to Xymon. There are a number of free solutions available, i.e. OpenVPN.

 
/Johan

 
From: Neil Franken [mailto:user-1689acfc5a3b@xymon.invalid] 
Sent: den 10 februari 2009 09:07
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] Securing Xymon Over Internet

 
Hi XyMonsters!

 
I need to monitor several satellite sites with XyMon. These sites are not available on our local LAN so I have to go via the internet. I am a bit hesitant to open the ports etc since the information collected can be used in foot printing the system. How would I go about securing the service so that xymons information does not fall into the wrong hands?

 
Regards

Neil

Hi Johan

 
Will check it out. Is there any other alternatives? I just need to have a plan A,B and C  to present to the bean counters.

 
Regards

Neil

 
From: Johan Sjöberg [mailto:user-74c177c1220d@xymon.invalid] 
Sent: 10 February 2009 11:57 AM
To: user-ae9b8668bcde@xymon.invalid
Subject: RE: [hobbit] Securing Xymon Over Internet

 
Would it be possible to set up VPN:s to the remote locations? That way you can have a secure connection over the internet, transparent to Xymon. There are a number of free solutions available, i.e. OpenVPN.

 
/Johan

 
From: Neil Franken [mailto:user-1689acfc5a3b@xymon.invalid] 
Sent: den 10 februari 2009 09:07
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] Securing Xymon Over Internet

 
Hi XyMonsters!

 
I need to monitor several satellite sites with XyMon. These sites are not available on our local LAN so I have to go via the internet. I am a bit hesitant to open the ports etc since the information collected can be used in foot printing the system. How would I go about securing the service so that xymons information does not fall into the wrong hands?

 
Regards

Neil

On Tue, Feb 10, 2009 at 12:15, Neil Franken

<user-1689acfc5a3b@xymon.invalid> wrote:

Your options are basically either:

a) VPN (pick your solution)

b) SSH tunnel

-- 
                 Please keep list traffic on the list.

Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche

The two options I know of are ssh and VPN, as was said.  Depending on
your network hardware a VPN should be very easy but ssh is a great
fallback (who doesn't have ssh open!?)

On 2/10/09, Rob MacGregor <user-07c9d92ae079@xymon.invalid> wrote:

-- 

Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX

Those who don't understand UNIX are condemned to reinvent it, poorly.
--- Henry Spencer

On Tue, Feb 10, 2009 at 10:06:39AM +0200, Neil Franken wrote:

For a solution now, OpenVPN would be my suggestion - it is very easy to 
setup, uses standard OpenSSL encryption with digital certificates for
authentication, and has a nice price ($ 0,00). Plus you get a true VPN
connection to the server, so if need be you can SSH to the remote
servers through the VPN tunnel - or rdesktop, if they are Windows
servers.

In the slightly longer run, the Xymon clients will know how to use
an SSL-encrypted connection to the Xymon server. This is planned
for one of the releases that will show up over the coming months
(see my announcement from yesterday).


Regards,
Henrik

Hi Neil...   I just recently did this same thing. At sites where I do not have
 a VPN, I have found that stunnel is the best/easiest way to do go.

On the client site (your remote sites) stunnel running in client mode can
listen on an arbitrary port (I chose 11984) and then send the data ENCRYPTED
to an stunnel running in server mode at your central site. The server mode
stunnel then sends the unencrypted data to your central xymon server on port 1984.

Here's a cheesy ASCII diagram:


(Remote xymon server)
~xymon/server/etc/hobitserver.cfg:
BBDISP=0.0.0.0
BBDISPLAYS="ip.of.client.xymon 127.0.0.1:11984"

stunnel: in CLIENT mode (default)
         listen=127.0.0.1:11984 (unencrypted data in)
         connect=your.firewall.ip:11984 (encrypted data out)
	|
	V
 Client's firewall (allow server out on 11984/TCP to your firewall IP)
	|
	V
     INTERNET
	|
	V
 Your firewall (allow client's firewall IP in on 11984/TCP to your server)
	|
	V
your server running
 stunnel & xymon
	|
	V	
stunnel: in SERVER mode
	 listen=127.0.0.1:11984 (encrypted data in)
	 connect=127.0.0.1:1984 (unencrypted data out to central xymon server)


This should take about 1/2 hour to 45 minutes to do. Thanks to the stunnel
people, it is that simple.

Hope this helps!

--
Bill Arlofski
Reverse Polarity, LLC
http://www.revpol.com/