[smokeping-users] Slave-Master security
Tobias Oetiker
tobi at oetiker.ch
Wed Mar 20 07:15:30 CET 2013
Yesterday Gregory Sloop wrote:
> Ok, so I've setup a test master-slave config, and the basic config
> looks good.
>
> So, I suppose this is essentially off-topic, but I'm wondering about
> hardening the communications between a master and a slave.
>
> In my case, I'm thinking of having slaves that communicate over an
> un-secure net [say the internet] back to the master.
>
> I know the shared secret [PSK] for the slave-master protect [kinda] so
> that an attacker can't stuff data into the SP master - but that
> doesnt' address someone finding a hole in the CGI etc.
>
> Essentially, if I let the world hit the smokeping.cgi, but only
> prevent writes, that does noting to prevent others from looking at my
> smokeping data [which I may not want to allow] or worse, attacking the
> smokeping.cgi in an attempt to crack the master machine. [And from
> what I can see, I can't easily use .htaccess files over https to
> limit access, because the slaves don't grok that.]
>
basic auth would be quite simple to add to slaves I guess ... otoh,
you could also teach the slaves to use client certificates
http://stackoverflow.com/questions/12697450/using-lwp-with-ssl-and-client-certificates
you could further limit access by IP address on the server
cheers
tobi
> This is obviously bad.
>
> I've considered building VPN's or SSH tunnels between the slave(s) and
> masters - but does anyone have any tried-and-true methods that are
> perhaps less cumbersome - that I haven't considered?
>
> -Greg
>
> _______________________________________________
> smokeping-users mailing list
> smokeping-users at lists.oetiker.ch
> https://lists.oetiker.ch/cgi-bin/listinfo/smokeping-users
>
>
--
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch tobi at oetiker.ch ++41 62 775 9902 / sb: -9900
More information about the smokeping-users
mailing list