Securing Netdata Agent



  • Is there anyway to secure the Netdata Agent with a password, or a config file like NRPE to allow only certain IP’s to access the data?

    Leaving a public IP with http://<IP>:19999 exposed is asking for attacks.

    Thanks



  • Hi @starburst!

    There no out-of-the-box functionality to protect it with password as far as I know.
    Check this doc - https://learn.netdata.cloud/docs/agent/netdata-security#protect-netdata-from-the-internet to see what options you have to secure your installation



  • I found the allow connection from feature after I posted this.
    But will have to try & find out the IP the monitoring server is connecting to the agent from.

    One other thing I’m seeing, is you don’t have control over the monitoring server part like with Nagios, only limited configuration wit the Agent part of your server.

    I only see Netdata Cloud & Agent. No Server version, unless I’m missing that also.



  • I’m not sure what you mean by Server.

    You have only Agent - piece of software that running on the node. It collects metrics and it also display dashboards when you go to <server_name>:19999
    You can change behaviour of web part of the agent, by doing changes to agent configs.

    Netdata cloud is not using HTTP access(over port 19999), it communicates with Agent over websockets. So, if you only want to using Netdata Cloud, you can disable web part on your agent and check all data from Netdata Cloud.

    If you have multiple netdata nodes and don’t use Netdata Cloud - you can set up one parent node, disable web on all child nodes, stream all metrics from child nodes to parent node.
    Then secure that parent node with Ngnix or Apache with basic auth, for example.


  • Staff

    @rybue is absolutely correct! You can leverage the secure connection that we have through Netdata cloud (plus all the other cool functionality) and have elevated security by disabling the web dashboard.

    You can read more about it here: https://community.netdata.cloud/topic/92/running-a-headless-netdata-agent-with-cloud-compatibility


Log in to reply