Sugestion - Encryption of traffic between server und clients

  • Filter
  • Time
  • Show
Clear All
new posts

    Sugestion - Encryption of traffic between server und clients

    I can imagine this was asked a couple of times, but a search of "encrypt" within the forum did not provide any results, so i add a posting.

    As in V1.1A7 the traffic between client and server is not encrypted and as such might be a potential security risk. (Etherreal shows a lot of plain text).

    This _might_ be ok in a LAN but wont work over the public internet. Of cause one can use a vpn or ssh tunnel or anything else. This would add up complexity to the entire setup (i..e how to monitor the ssh or vpn tunnel etc.)

    Therefore i suggest to add a simple and basic symmetric encryption like for example blowfish which is fairly secure and easy to implement.

    Some thoughts on this:
    -When using a common shared symmetric encryption, the keys has to be put on any any client. this means in turn that anyone with access to one client could decrypt any traffic von any othe clients.

    -To work around this, the encryption key could be specific to the host and placed in the sql database - defined via the webinterface in the host setup. In this case the question is when to decrypt the data. Would the server_proccess query the sql-database or mainatin a hashtable. If the server has to query the sql-database anyway upon a client requst (which it seems to do), than this should not be a performance issue though.

    P.S. Of cause one could use also asymetric encrption (like RSA, DH or upper level protocalls like SSL / TLS) , but this adds some more complexcity to the implementation.

    Thoughts ?
    Specialised in monitoring large environments and Zabbix API programming.

    Since Version 1.1alpha9 is out, i thought it is an idea to bring this up again

    Are there any plans for the V1.1 Release to add encryption?
    Specialised in monitoring large environments and Zabbix API programming.


      Thanks for the reminder! Already in TODO!
      Alexei Vladishev
      Creator of Zabbix, Product manager
      New York | Tokyo | Riga
      My Twitter


        Are there already any plans for the V1.4 Release to add encryption agent-server traffic?




          Communication between server and agend is encrypted ?


            Not yet. The best work around for now is to use stun or something similar.
            RHCE, author of zbxapi
            Ansible, the missing piece (Zabconf 2017):
            Zabbix and SNMP on Linux (Zabconf 2015):


              Is there a reason it hasn't made it into the core yet? Even a basic encryption that relied on a key in the agent config file (and in the host config on the server) would make it a lot more secure.


                This is something that is holding me back from a Zabbix implementation right now... we have a secure area of our network that is audited twice a year, and one of the areas we were "dinged" on during the last audit was a lack of using SNMPv3 (with encryption)

                I can only imagine that the lack of Zabbix agents using some basic kind of auth/encryption will stop us from being able to use Zabbix for this enclave we have


                  Love It

                  We could REALLY use both encryption of the agent traffic and authentication of agents (pref using SSL keys).



                    Originally posted by gpmidi View Post
                    We could REALLY use both encryption of the agent traffic and authentication of agents (pref using SSL keys).
                    It would be nice to have SSL integrated in Zabbix agent.
                    In the meantime, there is a workaround in Zabbix 1.8 with 'SSH agent'.

                    I have set up a simple test that gets item thru SSH agent:
                    Type: SSH Agent
                    Authentication method: Password
                    User name: root
                    Password : ********
                    Executed script: 
                    zabbix_agentd -t '' | sed -e 's/.*|//' -e 's/\]$//'
                    I have used 'Password' authentification method for testing. For production use, I would change it to 'Public key'.

                    It will work only on Unix/Linux hosts and is a bit complicated but, as I said, it is just a workaround.

                    Hope this helps


                      It would also be great for the zabbix agents to be able to connect to the zabbix server through a http proxy (squid for example) when in active mode, where we would have something like

                      in the configuration of zabbix agent.



                      No announcement yet.