Ad Widget

Collapse

Zabbix open to the internet now with encryption

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • parrr
    Junior Member
    • Jul 2016
    • 2
    #1

    Zabbix open to the internet now with encryption

    So I am setting up a distributed monitoring configuration in which the monitoring server will be open to the internet (with proper firewall rules of course). I have the web interface setup with Apache on port 443 and the server trapper port on 10051. A proxy resides at each site and connects to the server setup using PSK encryption (using 3.0 version of Zabbix, later using certificates possibly).

    I know the communications is encrypted, but I was wondering if there was any issue in leaving port 10051 wide open to the whole of the internet? Is there any way to disable any un-encrypted communications on the server side and ONLY accept encrypted?

    Thanks!
    Tags: None
    • guzzijason
      Senior Member
      • Dec 2015
      • 106
      #2
      Yes - if you are using a passive proxy, take a look at the TLSAccept config option in zabbix_proxy.conf. That option will let you specify one or more types of encryptions that are permitted. Unless I'm mistaken, it only works for the server connecting to passive proxies. I'm not sure if there is a similar option on the server side for active proxies.

      Furthermore, you might also want to consider setting up something like iptables or firewalld rules to block connections to the port from unauthorized remote hosts.

      __Jason

        Comment

        • andris
          Zabbix developer
          • Feb 2012
          • 228
          #3
          Hi!
          Yes - if you are using a passive proxy, take a look at the TLSAccept config option in zabbix_proxy.conf. That option will let you specify one or more types of encryptions that are permitted. Unless I'm mistaken, it only works for the server connecting to passive proxies. I'm not sure if there is a similar option on the server side for active proxies.
          Correct about TLSAccept config option. As of "similar option on the server side for active proxies" - if you have an active proxy, in frontend you can go to Administration->Proxies->(select your proxy)->Encryption and set "Connections from proxy" - to accept only PSK in your case. The server will receive data from active proxy and check is this type of encryption allowed for that proxy and is this specific PSK configured for that proxy. If all checks match then request from proxy is accepted by server, otherwise request is discarded and a warning is logged.

          Andris

            Comment

            • Linwood
              Senior Member
              • Dec 2013
              • 398
              #4
              Also having source IP address restrictions on port 10051 will also make it show closed or filtered from port scans from other IP's, which will hide the fact you are running zabbix. That's better than (just) refusing a connection based on key exchange, which shows the port open. Obfuscation is not security but it's not a bad idea as well. For example, if one day a vulnerability is found in zabbix, you're not in someone's list as running it from that IP.

                Comment

                • parrr
                  Junior Member
                  • Jul 2016
                  • 2
                  #5
                  Thanks!

                  Originally posted by Linwood
                  Also having source IP address restrictions on port 10051 will also make it show closed or filtered from port scans from other IP's, which will hide the fact you are running zabbix. That's better than (just) refusing a connection based on key exchange, which shows the port open. Obfuscation is not security but it's not a bad idea as well. For example, if one day a vulnerability is found in zabbix, you're not in someone's list as running it from that IP.
                  This in combination with the suggestions above sounds like the ideal way to configure this. I think that part of the deployment process for an active proxy would be to add the correct firewall rules. All deployments are manually verified by the person on site and myself, so I think I would be happy with the security.

                  Thanks!

                    Comment

                    Previous template Next
                    Working...