Hello,
I have read multiple official and not official Zabbix security descriptions but I still looking for the right way / best practice to secure connection between Zabbix server and Zabbix active agent.
Zabbix server's port 10051/tcp is be accessible on a public IP.
Zabbix active proxies and agents are NOT accessible on a public IP, they only connect to the server's port 10051/tcp.
Zabbix active proxies connect to the server securely using PSK and their source addresses are limited by Administration->Proxies->Proxy address.
So I believe that this connection is secure (I understand that Cert is considered more secure than PSK).
Zabbix active agents connect to the server using PSK.
But here is the main problem.
An attacker can setup an active Zabbix agent using a hostname like "192.168.1.100" with TLSConnect=unencrypted that is connecting to my Zabbix server.
As you know, new hosts in Zabbix do not habe PSK/Cert enabled by default.
Now if a discovery rule (or maybe somebody from my team) creates a host with the hostname "192.168.1.100" without a PSK/Cert on my server then it would by compromised.
I tested it, you don't even need to add an agent interface to the host, but it you add, it doesn't matter also.
It looks like a big security risk, right?
Are there any options available in Zabbix to reduce this risk, for example deny all connections without PSK/Cert or limit active agents by their source address?
Otherwise I would limit the source addresses in the firewall.
Thank you.
I have read multiple official and not official Zabbix security descriptions but I still looking for the right way / best practice to secure connection between Zabbix server and Zabbix active agent.
Zabbix server's port 10051/tcp is be accessible on a public IP.
Zabbix active proxies and agents are NOT accessible on a public IP, they only connect to the server's port 10051/tcp.
Zabbix active proxies connect to the server securely using PSK and their source addresses are limited by Administration->Proxies->Proxy address.
So I believe that this connection is secure (I understand that Cert is considered more secure than PSK).
Zabbix active agents connect to the server using PSK.
But here is the main problem.
An attacker can setup an active Zabbix agent using a hostname like "192.168.1.100" with TLSConnect=unencrypted that is connecting to my Zabbix server.
As you know, new hosts in Zabbix do not habe PSK/Cert enabled by default.
Now if a discovery rule (or maybe somebody from my team) creates a host with the hostname "192.168.1.100" without a PSK/Cert on my server then it would by compromised.
I tested it, you don't even need to add an agent interface to the host, but it you add, it doesn't matter also.
It looks like a big security risk, right?
Are there any options available in Zabbix to reduce this risk, for example deny all connections without PSK/Cert or limit active agents by their source address?
Otherwise I would limit the source addresses in the firewall.
Thank you.
Comment