-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security concern one should take into account ? #164
Comments
Nice you like netdata. Regarding your security concerns: Should netdata be protected from the internet?Of course. netdata is an internal tool you use to monitor the performance of your systems. It should be protected, the same way you protect all your admin apps. We assume netdata will be installed inside your DMZ, privately, for your eyes only. And that your DMZ is protected and controlled enough to allow netdata focus on its core function. We have also designed the plugins of netdata (a few of which might be running with admin privileges - like What will happen if you accidentally expose netdata to the internet?
Why we haven't already added user access controls on netdata?Well, the last few months and until this Friday we had... well... 100 users ! (probably I am extravagating here). The last 3 days there have been 10.000 git clones! So, yes! Please protect your netdata. If you can protect it using firewalls (layer 3) and provide the user access control you need utilizing other web servers (check the wiki for info), use it. Otherwise, wait. We will add user access control soon. |
Great summary, Thank you. For now we will put this behind nginx and wait for a new update that will add access control. |
I just pushed this change to help you when you proxy netdata through another web server: limit direct access to netdataYou would also need to instruct netdata to listen only to To limit access to netdata only from localhost, set |
what about making the loopback bind the default and let the user override this if she wants/needs to..? |
Thank you for making those suggestion, I was able to get couple of server behind nginx with some basic authentication. What I am struggling with is limiting direct access to netdata, I have the below config as you posted but I can access thru nginx and also directly thru servername:19999. Am I doing something wrong here ? servername: |
Have you updated your netdata? |
oh i guess that would help. QQ, how do you update netdata. Is that just a straight removing of all the netdata file/directories and reinstall or is there a doc for updating ? |
Just go to the directory you downloaded it, run |
or just re-install it using the same installer parameters. |
just pulled the new changes and added the "bind socket to IP" and then restarted netdata, I can still access directly... am i missing something ? `servername:~/netdata.git# head /etc/netdata/netdata.conf NetData ConfigurationYou can uncomment and change any of the options below.The value shown in the commented settings, is the default value.global netdata configurationbind socket to IP = 127.0.0.1 [global] |
Here is what i have done.... added "bind socket" to global config, stoped and started netdata...now when i go to "servername:19999" i get site cant be reached but also not able to see the data from ngnix server either... servername:~# head -30 /etc/netdata/netdata.conf NetData ConfigurationYou can uncomment and change any of the options below.The value shown in the commented settings, is the default value.global netdata configuration[global] servername: |
Your netdata is listening on 127.0.0.1. Check it: netstat -nat | grep 19999 Then check your nginx config. The backend server should be set to |
still the same thing... direct access get "site not available" accessing thru nginx i get "502 Bad Gateway"..here are the details... servername:/tmp/netdata# netstat -nat | grep 19999 here is the backend on nginx server... also here is my full nginx server config file ngixservername:~# cat /etc/nginx/nginx.conf user nginx; error_log /var/log/nginx/error.log warn; events { http {
upstream backend-servername {
} |
Can you also post what nginx logs when you attempt to access netdata? |
access.log error.log X.X.X.12 = NGINX server |
strange. from your nginx host if you do:
do you get this:
(press control-] and then q to exit this) |
ngixservername:/var/log/nginx# telnet 127.0.0.1 19999 |
is netdata running on this host? netstat -nat | grep 19999 |
no its not, do we need to run netdata on the nginx server also? |
i just installed it on the nginx server as well... ngixservername:/tmp/netdata# netstat -nat | grep 19999 ..here is the telnet afterwards... |
Look, 127.0.0.1 is localhost is the machine of the nginx server. The nginx configuration you used, allows you to proxy through it any number of netdata servers. But in this case, your netdata servers cannot be listening on localhost. Somehow, nginx has to talk to them. So, use 127.0.0.1 for netdata only when nginx and netdata are on the same host. Otherwise, you don't need this, but your firewall should restrict direct access from your PCs to your netdata servers. |
oh thanks for the explanation...that did the trick now i am able to run multiple netdata server behind one nginx box.... time to roll this out into our image ... Thanks for your help !!!! |
i think i might have something mis-configured. when i go to http://ngnixserver/netdata/servername/ i still get data for ngnixserver and not for servername....obviously when i do http://ngnixserver/netdata/ngnixserver/ i get to nginxserver but its when i go to servername i get redirected to nginxserver.... |
You need to define both |
yeah i have both backend server in /etc/nginx/nginx.conf file upstream backend-nginxhostname1 { upstream backend-hostname1 { upstream backend-hostname2 { |
All backend servers point to 127.0.0.1:19999, i.e. the same netdata, which is running on the same host with nginx. |
that is right, what i am trying to do is. for all the backend server(hostname1, hostname2 ...) I have disable direct access (by using "bind socket to IP = 127.0.0.1") so that if someone tries to go to http://hostname1:19999 they get site not avaiable message but when someone goes to http:///nginxhostname1/netdata/hostname1 I can access it from nginxhost. What should this be pointing to?? I tried putting the IP address of hostname1 for the backend server but I get "502 Bad Gateway" message when I try to go to nginxhostname1/netdata/hostname1 upstream backend-hostname1 { |
any pointers on this, as to how to block direct access and only enable access thru nginx ?? |
If you listen on 127.0.0.1 you can only communicate with that machine, so
only an nginx on the same server will be able to talk to the netdata on
that server.
To do what you want you must listen on something other than 127.0.0.1 for
netdata which means by default any machine can access it. This is necessary
because there is nothing special about nginx when it is coming from another
host; either everything and everyone gets remote access or no-one and
nothing.
So what can you do beyond this? You can set up firewall rules on the
netdata servers so only incoming requests from the nginx server are
permitted on the netdata port. Doing so is probably beyond the scope of
netdata help though, since it depends on what software you use to configure
your firewalls normally.
|
okay, Thank you for the information. I we will look into this from iptables standpoint or just wait until the next release or so when you guys have some kind of authentication setup... |
cleaning up. If something remains, please open it again. |
Just for completeness, PR #775 (apart from health monitoring - alarms) adds 2 important features related to security:
Since I wrote this comment, a lot more have changed, netdata is a lot faster, a lot more stable with a lot more features (check the registry, the python plugins thanks to @paulfantom, the badges, to name a few), but we still don't have authentication for the API. The reason is simple: I am not sure if this is the way to go. As netdata matures, I see a lot of benefits to have a more complex access control. Netdata provides a lot of information that can be useful to humans with different roles, but also third party apps. Having a simple username / password to access everything, I am afraid will not suffice. I am still researching alternatives... |
If someone really needs authentification he could just use an reverse proxy and basic-authentification (in the case of nginx - not sure about apache) |
btw, the wiki page https://github.com/firehol/netdata/wiki/netdata-security replaces the information contained in this issue. |
This issue has been mentioned on the Netdata Community Forums. There might be relevant details there: https://community.netdata.cloud/t/go-d-snmp-collector-either-not-collecting-or-not-publishing/4026/1 |
Hello,
fyi ... this is more of a question than issue/bug report..
I have to say, netdata is one of the awesome system monitoring tool I have ever seen. It definitely beat a lot of enterprise grade monitoring and visualization tools. I have been playing around it for couple of days here but wanted to ask what are some of the security concerns around this tool ?? I see there are already couple of issues opened with regards to authentication(which we can run behind nginx as workaround) but besides authentication if bad guy is able to get to that data what type of damage can they do ??
I understand netdata is very light weight and should be able to serve 300+ web client requests per second per core without any delays but cant this part also be exploited as well? I am just trying to see what one need to do from security standpoint if we were to mass deploy this tool in our environment.
The text was updated successfully, but these errors were encountered: