TCP Wrappers for xymond
list Jeremy Laidman
Hiya I'm planning on deploying a Xymon server on the Internet, and would like to lock it down as much as possible. I'll be creating iptables rules to limit access to port 1984. However, I'd really like to have a fallback protection mechanism, in case (or for when) the iptables rules are not being applied, or are misconfigured. It seems to me that the use of libwrap (TCP wrappers) would suit me nicely, so that I could add hosts into /etc/hosts.allow as required. I will already be using this for other services such as ssh. However, there doesn't appear to be a simple way for xymond to use libwrap. From what I understand, there are two ways to achieve TCP wrapper support: one way is to compile the daemon to dynamically link to the libwrap library; the other is to run the daemon from inetd/xinetd. Neither of these seem to be available for xymond. Can anyone suggest a simple way to do this? Would it be easy to recompile xymond with libwrap support? In the back of my mind, I seem to recall that the libwrap library re-implements all of the socket calls from libc, and so maybe all that's required is to have "-lwrap" before "-lc" in a Makefile somewhere. One idea that came to mind is to have xymond listen only on 127.0.0.1 only, and have xinetd listening on 0.0.0.0, which then connects any incoming socket to 127.0.0.1 (using the "redirect" config options). But this is a bit too message for my liking, because I don't want my operations staff confused by the extra complexity. Also, I suspect this will provide a reduction in throughput when compared to xymond listening directly, not only due to the extra connection overhead, but also perhaps limiting xymond's ability to do any clever things like pre-forking. Also the extra logging might cause a backlog. Or maybe I'm worrying about nothing, and this is a perfectly elegant solution. The best I could hope for, would be explicit support for compiling it in, perhaps with "--with-libwrap" and "--without-libwrap" options for configure. Cheers Jeremy
list Asif Iqbal
On Wed, Jul 30, 2014 at 2:59 AM, Jeremy Laidman <user-71895fb2e44c@xymon.invalid>
▸
wrote:
Hiya I'm planning on deploying a Xymon server on the Internet, and would like to lock it down as much as possible. I'll be creating iptables rules to limit access to port 1984. However, I'd really like to have a fallback protection mechanism, in case (or for when) the iptables rules are not being applied, or are misconfigured. It seems to me that the use of libwrap (TCP wrappers) would suit me nicely, so that I could add hosts into /etc/hosts.allow as required. I will already be using this for other services such as ssh. However, there doesn't appear to be a simple way for xymond to use libwrap. From what I understand, there are two ways to achieve TCP wrapper support: one way is to compile the daemon to dynamically link to the libwrap library; the other is to run the daemon from inetd/xinetd. Neither of these seem to be available for xymond. Can anyone suggest a simple way to do this? Would it be easy to recompile xymond with libwrap support? In the back of my mind, I seem to recall that the libwrap library re-implements all of the socket calls from libc, and so maybe all that's required is to have "-lwrap" before "-lc" in a Makefile somewhere. One idea that came to mind is to have xymond listen only on 127.0.0.1 only, and have xinetd listening on 0.0.0.0, which then connects any incoming socket to 127.0.0.1 (using the "redirect" config options). But this is a bit too message for my liking, because I don't want my operations staff confused by the extra complexity. Also, I suspect this will provide a reduction in throughput when compared to xymond listening directly, not only due to the extra connection overhead, but also perhaps limiting xymond's ability to do any clever things like pre-forking. Also the extra logging might cause a backlog. Or maybe I'm worrying about nothing, and this is a perfectly elegant solution. The best I could hope for, would be explicit support for compiling it in, perhaps with "--with-libwrap" and "--without-libwrap" options for configure. Cheers Jeremy
OR you could use tcpserver which does not require recompiling xymond. -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
list Bill Arlofski
Or, I like to use stunnel so that my Xymon communications to/from Internet accessible servers are encrypted end-to-end. It is pretty simple to set up too. Also, not sure if stunnel supports tcp-wrappers, but you can also include Asif's recommendation along with stunnel in that case. Then you have secure, encrypted communications, with connections controlled and limited by tcpwrappers and iptables Also, stunnel actually does not need to support tcpwrappers because the connections can be secured using certs. ;) Bill -- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/ -- Not responsible for anything below this line --
list Jeremy Laidman
Thanks for the replies. I've used tcpserver in the past (long ago, when running your own mail/dns server seemed like a fun thing to do) and it worked pretty well. But I think xinetd can do much the same, also uses the same /etc/hosts.allow for controlling access, and is already installed.
▸
On 31 July 2014 01:04, Bill Arlofski <user-0b8af203a56e@xymon.invalid> wrote:
Also, stunnel actually does not need to support tcpwrappers because the connections can be secured using certs. ;)
Hmm. That's an interesting idea. I like the prospect of having encrypted and authenticated connections. But I don't like the overhead of managing certificates. Also, I like having the same access config file (hosts.allow) for all services. I might see how I go with xinetd. J