RFE: message encryption
list T.J. Yang
Hi, Henrik Passing message without encryption among xymon client and server will cause concerns in corporate IT. I know you did some work at previous branches, can you activate this message encryption work or put it on roadmap ? Thanks tj -- T.J. Yang
list Ralph Mitchell
I would second that. I'm hoping to have Xymon approved at work, but we have to comply with DoD *and* PCI standards. We're not supposed to have unencrypted data moving across the network. At present, I have a work-around. Instead of using bin/xymon to send messages, I'm using curl to post the message file to https://server.domain.com/xymon/upload.php. On the server side, the upload.php script simply drops the message file into xymon's incoming stream, just as if it were delivered over the net by bin/xymon. The client side has the server's CA cert to validate the connection and the data flow is encrypted in transit. I could use client certificates as well. Ralph Mitchell
▸
On Mon, Oct 10, 2011 at 2:58 PM, T.J. Yang <user-61afc885aa73@xymon.invalid> wrote:
Hi, Henrik Passing message without encryption among xymon client and server will cause concerns in corporate IT. I know you did some work at previous branches, can you activate this message encryption work or put it on roadmap ? Thanks tj -- T.J. Yang
list T.J. Yang
▸
On Mon, Oct 10, 2011 at 3:26 PM, Ralph Mitchell <user-00a5e44c48c0@xymon.invalid> wrote:
I would second that. I'm hoping to have Xymon approved at work, but we have to comply with DoD *and* PCI standards. We're not supposed to have unencrypted data moving across the network. At present, I have a work-around. Instead of using bin/xymon to send messages, I'm using curl to post the message file to https://server.domain.com/xymon/upload.php. On the server side, the upload.php script simply drops the message file into xymon's incoming stream, just as if it were delivered over the net by bin/xymon.
Good idea. I almost can copy this approach.
▸
The client side has the server's CA cert to validate the connection and the data flow is encrypted in transit. I could use client certificates as well.
But I think this approach only works for Linux xymon client, since curl is readily available. Preparing curl for other Unix(say HP-UX) and Windows will be a big challenge. tj
▸
Ralph Mitchell On Mon, Oct 10, 2011 at 2:58 PM, T.J. Yang <user-61afc885aa73@xymon.invalid> wrote:Hi, Henrik Passing message without encryption among xymon client and server will cause concerns in corporate IT. I know you did some work at previous branches, can you activate this message encryption work or put it on roadmap ? Thanks tj -- T.J. Yang
--
T.J. Yang
list Rob Munsch
▸
At present, I have a work-around. Instead of using bin/xymon to send > messages, I'm using curl to post the message file to > https://server.domain.com/xymon/upload.php. On the server side, the > upload.php script simply drops the message file into xymon's incoming > stream, just as if it were delivered over the net by bin/xymon. Good idea. I almost can copy this approach.The client side has the server's CA cert to validate the connection > and the data flow is encrypted in transit. I could use client certificates as well.But I think this approach only works for Linux xymon client, since curl is readily available. Preparing curl for other Unix(say HP-UX) and Windows will be a big challenge.
Actually.... http://curl.haxx.se/download.html Wanna run it on Haiku? How about an Amiga? :)
list Ralph Mitchell
▸
On Mon, Oct 10, 2011 at 4:53 PM, Rob Munsch <user-d560979fab41@xymon.invalid>wrote:
At present, I have a work-around. Instead of using bin/xymon to sendmessages, I'm using curl to post the message file to https://server.domain.com/xymon/upload.php. On the server side, the upload.php script simply drops the message file into xymon's incoming stream, just as if it were delivered over the net by bin/xymon.Good idea. I almost can copy this approach.The client side has the server's CA cert to validate the connection and the data flow is encrypted in transit. I could use client certificates as well.But I think this approach only works for Linux xymon client, since curl is readily available. Preparing curl for other Unix(say HP-UX) and Windows will be a big challenge.Actually.... http://curl.haxx.se/download.html Wanna run it on Haiku? How about an Amiga? :)
Beat me to it... :-) We've got the script running on some IBM AIX boxes here. I think the curl version is something ridiculous, like curl-7.9, but it still delivers. That particular version is not built with SSL, so it won't do secure connections. We have HP-UX as well, but no Xymon client on that (yet). I've lost *some* functionality, because I'm only installing the shell scripts, not any compiled binaries. That way, if I have to, I can show that it's just a script using utilities supplied along with the OS, same as anyone can type in to discover machine status. Plus it's easier for other people to maintain. Ralph Mitchell
list Roland Soderstrom
This feature would please my managers a lot, getting all traffic
encrypted.
To me it seems like all the stones are there like SSL, xymond isn't that just an RPC?
Just need to put it together. (sounds easy doesn't it)
I had another thought that I haven't played around with yet.
Could you create an ssh tunnel and just pipe all xymon traffic through it?
client % ssh -N -g -f -L 1984:xymonserver.local:1984 xymonserver.local -l roland
And let XYMSRV be localhost:1984
or something similar...
I don't have a test rig to test it out right now.
- Roland
To me it seems like all the stones are there like SSL, xymond isn't that just an RPC?
Just need to put it together. (sounds easy doesn't it)
I had another thought that I haven't played around with yet.
Could you create an ssh tunnel and just pipe all xymon traffic through it?
client % ssh -N -g -f -L 1984:xymonserver.local:1984 xymonserver.local -l roland
And let XYMSRV be localhost:1984
or something similar...
I don't have a test rig to test it out right now.
- Roland
▸
On 11/10/11 08:07 AM, Ralph Mitchell wrote:On Mon, Oct 10, 2011 at 4:53 PM, Rob Munsch <user-d560979fab41@xymon.invalid> wrote:
> At present, I have a work-around. Instead of usingActually....
> bin/xymon to send
> > messages, I'm using curl to post the message file to
> > https://server.domain.com/xymon/upload.php. On the server
> side, the
> > upload.php script simply drops the message file into
> xymon's incoming
> > stream, just as if it were delivered over the net by bin/xymon.
>
> Good idea. I almost can copy this approach.
>
> > The client side has the server's CA cert to validate the connection
> > and the data flow is encrypted in transit. I could use
> client certificates as well.
>
> But I think this approach only works for Linux xymon client,
> since curl is readily available.
> Preparing curl for other Unix(say HP-UX) and Windows will be
> a big challenge.
http://curl.haxx.se/download.html
Wanna run it on Haiku? How about an Amiga? :)
Beat me to it... :-) We've got the script running on some IBM AIX boxes here. I think the curl version is something ridiculous, like curl-7.9, but it still delivers. That particular version is not built with SSL, so it won't do secure connections. We have HP-UX as well, but no Xymon client on that (yet).
I've lost *some* functionality, because I'm only installing the shell scripts, not any compiled binaries. That way, if I have to, I can show that it's just a script using utilities supplied along with the OS, same as anyone can type in to discover machine status. Plus it's easier for other people to maintain.
Ralph Mitchell
Xymon@xymon.com
list Ralph Mitchell
That's close to what I am doing using curl to post to a secure web server. Secure http over port 443 is already blessed by management and security. Opening another port requires paperwork... Ralph Mitchell On Oct 10, 2011 5:34 PM, "Roland Soderstrom" <user-0cec9512a49f@xymon.invalid>
▸
wrote:
This feature would please my managers a lot, getting all traffic encrypted. To me it seems like all the stones are there like SSL, xymond isn't that just an RPC? Just need to put it together. (sounds easy doesn't it) I had another thought that I haven't played around with yet. Could you create an ssh tunnel and just pipe all xymon traffic through it? client % ssh -N -g -f -L 1984:xymonserver.local:1984 xymonserver.local -l roland And let XYMSRV be localhost:1984 or something similar... I don't have a test rig to test it out right now. - Roland On 11/10/11 08:07 AM, Ralph Mitchell wrote: On Mon, Oct 10, 2011 at 4:53 PM, Rob Munsch <user-d560979fab41@xymon.invalid>wrote:At present, I have a work-around. Instead of using bin/xymon to sendmessages, I'm using curl to post the message file to https://server.domain.com/xymon/upload.php. On the server side, the upload.php script simply drops the message file into xymon's incoming stream, just as if it were delivered over the net by bin/xymon.Good idea. I almost can copy this approach.The client side has the server's CA cert to validate the connection and the data flow is encrypted in transit. I could use client certificates as well.But I think this approach only works for Linux xymon client, since curl is readily available. Preparing curl for other Unix(say HP-UX) and Windows will be a big challenge.Actually.... http://curl.haxx.se/download.html Wanna run it on Haiku? How about an Amiga? :)Beat me to it... :-) We've got the script running on some IBM AIX boxes here. I think the curl version is something ridiculous, like curl-7.9, but it still delivers. That particular version is not built with SSL, so it won't do secure connections. We have HP-UX as well, but no Xymon client on that (yet). I've lost *some* functionality, because I'm only installing the shell scripts, not any compiled binaries. That way, if I have to, I can show that it's just a script using utilities supplied along with the OS, same as anyone can type in to discover machine status. Plus it's easier for other people to maintain. Ralph Mitchell
Xymon mailing user-d459c9d661b6@xymon.invalid
list Roland Soderstrom
Yes, we have 443 and 22 open so this will just work, if you figure
out how todo it that is...
but this approach will let almost all OS flavors use it as almost all have SSH by default, or at least easily installed.
- Roland
but this approach will let almost all OS flavors use it as almost all have SSH by default, or at least easily installed.
- Roland
▸
On 11/10/11 08:40 AM, Ralph Mitchell wrote:That's close to what I am doing using curl to post to a secure web server. Secure http over port 443 is already blessed by management and security. Opening another port requires paperwork...
Ralph Mitchell
On Oct 10, 2011 5:34 PM, "Roland Soderstrom" <user-0cec9512a49f@xymon.invalid> wrote:
This feature would please my managers a lot, getting all traffic encrypted.
To me it seems like all the stones are there like SSL, xymond isn't that just an RPC?
Just need to put it together. (sounds easy doesn't it)
I had another thought that I haven't played around with yet.
Could you create an ssh tunnel and just pipe all xymon traffic through it?
client % ssh -N -g -f -L 1984:xymonserver.local:1984 xymonserver.local -l roland
And let XYMSRV be localhost:1984
or something similar...
I don't have a test rig to test it out right now.
- Roland
On 11/10/11 08:07 AM, Ralph Mitchell wrote:On Mon, Oct 10, 2011 at 4:53 PM, Rob Munsch <user-d560979fab41@xymon.invalid> wrote:
> At present, I have a work-around. Instead of usingActually....
> bin/xymon to send
> > messages, I'm using curl to post the message file to
> > https://server.domain.com/xymon/upload.php. On the server
> side, the
> > upload.php script simply drops the message file into
> xymon's incoming
> > stream, just as if it were delivered over the net by bin/xymon.
>
> Good idea. I almost can copy this approach.
>
> > The client side has the server's CA cert to validate the connection
> > and the data flow is encrypted in transit. I could use
> client certificates as well.
>
> But I think this approach only works for Linux xymon client,
> since curl is readily available.
> Preparing curl for other Unix(say HP-UX) and Windows will be
> a big challenge.
http://curl.haxx.se/download.html
Wanna run it on Haiku? How about an Amiga? :)
Beat me to it... :-) We've got the script running on some IBM AIX boxes here. I think the curl version is something ridiculous, like curl-7.9, but it still delivers. That particular version is not built with SSL, so it won't do secure connections. We have HP-UX as well, but no Xymon client on that (yet).
I've lost *some* functionality, because I'm only installing the shell scripts, not any compiled binaries. That way, if I have to, I can show that it's just a script using utilities supplied along with the OS, same as anyone can type in to discover machine status. Plus it's easier for other people to maintain.
Ralph MitchellXymon@xymon.com
list Bill Arlofski
▸
On 10/10/11 14:58, T.J. Yang wrote:
Hi, Henrik Passing message without encryption among xymon client and server will cause concerns in corporate IT. I know you did some work at previous branches, can you activate this message encryption work or put it on roadmap ? Thanks tj
Why not use stunnel? http://www.stunnel.org/ --[snip]-- The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code --[snip]-- I have used it in quite a few scenarios, including sending Xymon reports to me server from clients (web server, email server etc) on the Internet. -- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/
list Ralph Mitchell
▸
On Mon, Oct 10, 2011 at 2:58 PM, T.J. Yang <user-61afc885aa73@xymon.invalid> wrote:
Hi, Henrik Passing message without encryption among xymon client and server will cause concerns in corporate IT. I know you did some work at previous branches, can you activate this message encryption work or put it on roadmap ?
I was taking another crack at this today and found some interesting things.
The xymon command, which delivers messages to the server, can take a URL
for a parameter. Also, lurking in xymon-4.3.5/xymonproxy there is a little
program called xymoncgimsg, which takes an HTTP-delivered Xymon message and
hands it directly to Xymon. I went a step further and poked around in the
code to see what was being sent, and came up with this:
1) Discover the state of some service, including the color. Assemble the
report:
MESSAGE="status $MACHINE.$TEST $COLOR `date`
some message(s) relating to the test we're reporting"
2) instead of doing: $XYMON $XYMSRV "$MESSAGE" to deliver, do this:
curl -s -S -L --cacert /path/to/secure/xymon-server/cert.pem \
-H "Content-Ty[e: application/octet-stream" \
-H "MIME-version: 1.0" \
-d "$MESSAGE" \
https://secure-xymon.server.com/xymon-cgi/xymoncgimsg.cgi
Curl validates the server certificate and manages the encrypted connection.
$MESSAGE is shoved down the pipe to the cgi script and directly to xymon.
Ralph Mitchell