Hi,
I am using collectd on "the internets" for ages, but as was said in
previous message, I have firewall and I limit access to hosts/networks
that send me data.

Enabling signatures and encryption can actually open new possible
vulnerabilities due to used libraries.

Is there a special reason why not to use VPN and open collectd socket to
the internets? If you want to be more secure, it might be good idea to
use simple VPN with limited code base like wireguard.

Best regards
Josef

Dne 15. 01. 19 v 22:59 Ricardo J. Barberis napsal(a):
> El Martes 15/01/2019 a las 17:30, elliot.li.t...@gmail.com escribió:
>> Hi!
>>
>> Is it safe to expose a collectd network listening port to the internet?
>> I will have other machines running collectd and sending data to this
>> listener over the internet. I'll enable signature and encryption.
>>
>> I've searched the CVE database for collectd and only found two
>> vulnerabilities (CVE-2016-6254, CVE-2017-7401) that seem remotely
>> exploitable. For now I have the impression that the network parsing part
>> of collectd seems safe.
>>
>> Any comments are welcome. Thank you!
> 
> The obvious, but I'd also filter via iptables/ip6tables which IPs can connect 
> to collectd's port, just to be on the safe side.
> 
> Cheers,
> 

_______________________________________________
collectd mailing list
collectd@verplant.org
https://mailman.verplant.org/listinfo/collectd

Reply via email to