background 
Kris' Tech Blog ( and stuff ) Home About Kris Contact Kris

Categories


All by Date

Linux

Security

Networks

Religion

General





Kris Springer's Tech Blog - Xymon Powershell Client over SSL
Xymon Powershell Client over SSL 2-8-24
Kris Springer


The regular Xymon Powershell Client sends it's data back to the server unencrypted over port 1984. That's fine if the devices are on a local network or a tunnel that can't be sniffed by malicious actors, but in today's hyper security focused networks we need to make sure we secure the traffic flowing between client and server. The Xymon Server has a built-in method of accepting data over SSL (port 443) but it's not enabled by default, and the Powershell Client also has the ability to use SSL but it's not enabled by default either. The good news is that it's very easy to get working.

IMPORTANT PRE-REQ'S:
  • I'm assuming you already have a functioning Xymon Server that can collect data, and you understand how to administrate it.
  • Your Xymon Server webpage functionally uses SSL (https) and port 443 is accessible from the Windows clients that will be sending data. If you need an easy SSL cert you can use CertBot
  • Your webserver is configured to function with .htaccess and .htpasswd files. My instructions below are for Apache2.

ON XYMON SERVER:
  1. Copy the required cgi program file so it is usable. sudo cp /usr/lib/xymon/server/bin/xymoncgimsg.cgi /usr/lib/xymon/cgi-bin/
  2. Create .htaccess file in /usr/lib/xymon/cgi-bin/ sudo nano /usr/lib/xymon/cgi-bin/.htaccess Put this in the file. AuthUserFile /usr/lib/xymon/cgi-bin/.htpasswd AuthType Basic AuthName "Protected Content" require valid-user
  3. Create case sensitive user/pass in /usr/lib/xymon/cgi-bin/
    Instead of 'WinClient' you can define whatever username you want. cd /usr/lib/xymon/cgi-bin/ sudo htpasswd -c .htpasswd WinClient
  4. The /usr/lib/xymon/cgi-bin/ directory is accessed in a URL as /xymon-cgi/ which is an alias.
    An Apache config needs 2 directory paths fixed so our CGI’s will work. sudo nano /etc/apache2/conf-enabled/serve-cgi-bin.conf Change ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ to ScriptAlias /cgi-bin/ /usr/lib/xymon/cgi-bin/
    Change Directory "/usr/lib/cgi-bin" to Directory "/usr/lib/xymon/cgi-bin"

  5. Restart Apache2 service sudo systemctl restart apache2.service

ON WINDOWS CLIENT MACHINE:
  1. Download this modified XymonPSclient.zip
    It's been modified by a few different people to function properly since the last 'official' version hasn't been updated in many years and it doesn't work right over SSL.
  2. Extract the 'XymonPSclient' folder to Downloads or Desktop. Don't try to run it from inside the zip file.
  3. Edit the xymonclient_config.xml file and define your Xymon Server URL and the User/Pass you created previously.
  4. Double-click install.vbs and approve the security popup. A Powershell terminal will auto open/close during installation. Just wait for it to finish.
  5. Open Task Manager and confirm that the 'XymonPSClient' service was installed and is running.

ON XYMON SERVER:
  1. Check the Ghost Clients list to see your new host.
  2. Add the new host to your Xymon hosts.cfg file.






© Copyright 2024 WarriorSon Productions. All rights reserved.