[collectd] Safety for exposing a collectd network listening port to internet

Josef Liska jl at chl.cz
Wed Jan 16 12:01:03 CET 2019


Hi,
I am using collectd on "the internets" for ages, but as was said in
previous message, I have firewall and I limit access to hosts/networks
that send me data.

Enabling signatures and encryption can actually open new possible
vulnerabilities due to used libraries.

Is there a special reason why not to use VPN and open collectd socket to
the internets? If you want to be more secure, it might be good idea to
use simple VPN with limited code base like wireguard.

Best regards
Josef

Dne 15. 01. 19 v 22:59 Ricardo J. Barberis napsal(a):
> El Martes 15/01/2019 a las 17:30, elliot.li.tech at gmail.com escribió:
>> Hi!
>>
>> Is it safe to expose a collectd network listening port to the internet?
>> I will have other machines running collectd and sending data to this
>> listener over the internet. I'll enable signature and encryption.
>>
>> I've searched the CVE database for collectd and only found two
>> vulnerabilities (CVE-2016-6254, CVE-2017-7401) that seem remotely
>> exploitable. For now I have the impression that the network parsing part
>> of collectd seems safe.
>>
>> Any comments are welcome. Thank you!
> 
> The obvious, but I'd also filter via iptables/ip6tables which IPs can connect 
> to collectd's port, just to be on the safe side.
> 
> Cheers,
> 



More information about the collectd mailing list