[collectd] Safety for exposing a collectd network listening port to internet
Dave Cottlehuber
dch at skunkwerks.at
Sat Jan 19 19:13:56 CET 2019
On Wed, 16 Jan 2019, at 16:35, elliot.li.tech at gmail.com wrote:
> On 1/15/19 1:59 PM, Ricardo J. Barberis wrote:
> > El Martes 15/01/2019 a las 17:30, elliot.li.tech at gmail.com escribió:
> >> Is it safe to expose a collectd network listening port to the internet?
> >> I will have other machines running collectd and sending data to this
> >> listener over the internet. I'll enable signature and encryption.
> >>
> >> I've searched the CVE database for collectd and only found two
> >> vulnerabilities (CVE-2016-6254, CVE-2017-7401) that seem remotely
> >> exploitable. For now I have the impression that the network parsing part
> >> of collectd seems safe.
> >>
> >> Any comments are welcome. Thank you!
> >
> > The obvious, but I'd also filter via iptables/ip6tables which IPs can connect
> > to collectd's port, just to be on the safe side.
>
> I could. But I'm accepting incoming connections from users that move
> around, so I wouldn't be able to restrict the IPs too much.
I solve this by using zerotier.com (p2p vpn tech) which allows creating an
IPv6 address (or IPv4 if you want) that "belongs" to each endpoint - so it's
effectively static even though the endpoints are moving about.
I am using this for a variety of things since a couple of years now (syslog,
riemann, collectd, rabbitmq and couchdb traffic) and it works very well in
general, although I can rely on systems being restarted during "roaming".
Perhaps you can find a similar sort of solution?
A+
Dave
More information about the collectd
mailing list