2022 Zabbix中国峰会
2022 Zabbix中国峰会

安全设置 Zabbix 的最佳实践

概述

本章节包含为了以安全的方式设置 Zabbix 应遵守的最佳实践。

Zabbix 的功能不依赖于此处的实践。但建议使用它们以提高系统的安全性。

Access control

Principle of least privilege

The principle of least privilege should be used at all times for Zabbix. This principle means that user accounts (in Zabbix frontend) or process user (for Zabbix server/proxy or agent) have only those privileges that are essential to perform intended functions. In other words, user accounts at all times should run with as few privileges as possible.

Giving extra permissions to 'zabbix' user will allow it to access configuration files and execute operations that can compromise the overall security of the infrastructure.

When implementing the least privilege principle for user accounts, Zabbix frontend user types should be taken into account. It is important to understand that while a "Admin" user type has less privileges than "Super Admin" user type, it has administrative permissions that allow managing configuration and execute custom scripts.

Some information is available even for non-privileged users. For example, while AdministrationScripts is not available for non-Super Admins, scripts themselves are available for retrieval by using Zabbix API. Limiting script permissions and not adding sensitive information (like access credentials, etc) should be used to avoid exposure of sensitive information available in global scripts.

为 Zabbix 前端设置 SSL

在 RHEL/Centos 操作系统上,安装 mod_ssl 包:

yum install mod_ssl

为 SSL keys 创建目录:

mkdir -p /etc/httpd/ssl/private
       chmod 700 /etc/httpd/ssl/private

创建 SSL 证书:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/private/apache-selfsigned.key -out /etc/httpd/ssl/apache-selfsigned.crt

下面提示内容适当填写。 最重要的一行是请求 Common Name 的行。 您需要输入要与服务器关联的域名。 如果您没有域名,则可以输入公共IP地址。 下面将使用 example.com

Country Name (两个字母) [XX]:
       State or Province Name (全名) []:
       Locality Name (eg, city) [默认的城市]:
       Organization Name (eg, company) [默认的公司名]:
       Organizational Unit Name (eg, section) []:
       Common Name (eg, your name or your server's hostname) []:example.com
       Email Address []:

编辑 Apache SSL 配置:

/etc/httpd/conf.d/ssl.conf
       
       DocumentRoot "/usr/share/zabbix"
       ServerName example.com:443
       SSLCertificateFile /etc/httpd/ssl/apache-selfsigned.crt
       SSLCertificateKeyFile /etc/httpd/ssl/private/apache-selfsigned.key

重启 Apache 服务使以上修改的配置生效:

systemctl restart httpd.service

在 URL 的根目录上启用 Zabbix

将虚拟主机添加到 Apache 配置,并将文档根目录的永久重定向设置为 Zabbix SSL URL。 不要忘记将 example.com 替换为服务器的实际名称。

/etc/httpd/conf/httpd.conf
       
       #Add lines
       
       <VirtualHost *:*>
           ServerName example.com
           Redirect permanent / http://example.com
       </VirtualHost>

重启 Apache 服务使以上修改的配置生效:

systemctl restart httpd.service

Zabbix Security Advisories and CVE database

See Zabbix Security Advisories and CVE database.

禁用曝光的 Web 服务器信息

建议在 Web 服务器强化过程中禁用所有 Web 服务器签名。 默认情况下,Web 服务器正在公开软件签名:

可以通过向 Apache(用作示例)配置文件添加两行来禁用签名:

ServerSignature Off
       ServerTokens Prod

可以通过更改 php.ini 配置文件来禁用 PHP 签名(X-Powered-By HTTP header)(默认情况下禁用签名):

expose_php = Off

若要应用配置文件更改,需要重新启动 Web 服务器。

通过在 Apache中 使用 mod_security( libapache2-mod-security2)可以实现额外的安全级别。 mod_security 允许删除服务器签名,而不是仅仅从服务器签名中删除版本。 通过在安装 mod_security 之后将“SecServerSignature”更改为任何所需的值,可以将签名更改为任何值。

请参阅 Web 服务器的文档以获取有关如何删除/更改软件签名的帮助。

Web server hardening

Disabling default web server error pages

It is recommended to disable default error pages to avoid information exposure. Web server is using built-in error pages by default:

Default error pages should be replaced/removed as part of the web server hardening process. The "ErrorDocument" directive can be used to define a custom error page/text for Apache web server (used as an example).

Please refer to documentation of your web server to find help on how to replace/remove default error pages.

Enabling HTTP Strict Transport Security (HSTS) on the web server

HSTS is enforced by Zabbix frontend in versions 4.0.0 - 4.0.2.

Starting with 4.0.3 to protect Zabbix frontend against protocol downgrade attacks, we recommend to enable HSTS policy on the web server.

For example, to enable HSTS policy for your Zabbix frontend in Apache configuration:

/etc/httpd/conf/httpd.conf

add the following directive to your virtual host's configuration:

<VirtualHost *:443>
          Header set Strict-Transport-Security "max-age=31536000"
       </VirtualHost>

Restart the Apache service to apply the changes:

systemctl restart httpd.service

Disabling web server information exposure

It is recommended to disable all web server signatures as part of the web server hardening process. The web server is exposing software signature by default:

The signature can be disabled by adding two lines to the Apache (used as an example) configuration file:

ServerSignature Off
       ServerTokens Prod

PHP signature (X-Powered-By HTTP header) can be disabled by changing the php.ini configuration file (signature is disabled by default):

expose_php = Off

Web server restart is required for configuration file changes to be applied.

Additional security level can be achieved by using the mod_security (package libapache2-mod-security2) with Apache. mod_security allows to remove server signature instead of only removing version from server signature. Signature can be altered to any value by changing "SecServerSignature" to any desired value after installing mod_security.

Please refer to documentation of your web server to find help on how to remove/change software signatures.

Disabling default web server error pages

It is recommended to disable default error pages to avoid information exposure. Web server is using built-in error pages by default:

Default error pages should be replaced/removed as part of the web server hardening process. The "ErrorDocument" directive can be used to define a custom error page/text for Apache web server (used as an example).

Please refer to documentation of your web server to find help on how to replace/remove default error pages.

Removing web server test page

It is recommended to remove the web server test page to avoid information exposure. By default, web server webroot contains a test page called index.html (Apache2 on Ubuntu is used as an example):

The test page should be removed or should be made unavailable as part of the web server hardening process.

Set X-Frame-Options HTTP response header

By default, Zabbix is configured with X-Frame-Options HTTP response header set to SAMEORIGIN, meaning that content can only be loaded in a frame that has the same origin as the page itself.

Zabbix frontend elements that pull content from external URLs (namely, the URL dashboard widget) display retrieved content in a sandbox with all sandboxing restrictions enabled.

These settings enhance the security of the Zabbix frontend and provide protection against XSS and clickjacking attacks. Super Admins can modify iframe sandboxing and X-Frame-Options HTTP response header parameters as needed. Please carefully weigh the risks and benefits before changing default settings. Turning sandboxing or X-Frame-Options off completely is not recommended.

Hiding the file with list of common passwords

To increase the complexity of password brute force attacks, it is suggested to limit access to the file ui/data/top_passwords.txt by modifying web server configuration. This file contains a list of the most common and context-specific passwords, and is used to prevent users from setting such passwords if Avoid easy-to-guess passwords parameter is enabled in the password policy.

For example, on NGINX file access can be limited by using the location directive:

location = /data/top_passwords.txt {​​​​​​​
           deny all;
           return 404;
       }​​​​​​​

On Apache - by using .htacess file:

<Files "top_passwords.txt">  
         Order Allow,Deny
         Deny from all
       </Files>

Displaying URL content in the sandbox

Since version 4.0.22, some Zabbix frontend elements (for example, the URL widget) are preconfigured to sandbox content retrieved from the URL. It is recommended to keep all sandboxing restrictions enabled to ensure protection against XSS attacks.

Zabbix Windows agent with OpenSSL

Zabbix Windows agent compiled with OpenSSL will try to reach the SSL configuration file in c:\openssl-64bit. The "openssl-64bit" directory on disk C: can be created by non-privileged users.

So for security hardening, it is required to create this directory manually and revoke write access from non-admin users.

Please note that the directory names will be different on 32-bit and 64-bit versions of Windows.

Cryptography