On Wed, 16 Jan 2019, at 16:35, [email protected] wrote: > On 1/15/19 1:59 PM, Ricardo J. Barberis wrote: > > El Martes 15/01/2019 a las 17:30, [email protected] escribió: > >> Is it safe to expose a collectd network listening port to the internet? > >> I will have other machines running collectd and sending data to this > >> listener over the internet. I'll enable signature and encryption. > >> > >> I've searched the CVE database for collectd and only found two > >> vulnerabilities (CVE-2016-6254, CVE-2017-7401) that seem remotely > >> exploitable. For now I have the impression that the network parsing part > >> of collectd seems safe. > >> > >> Any comments are welcome. Thank you! > > > > The obvious, but I'd also filter via iptables/ip6tables which IPs can > > connect > > to collectd's port, just to be on the safe side. > > I could. But I'm accepting incoming connections from users that move > around, so I wouldn't be able to restrict the IPs too much.
I solve this by using zerotier.com (p2p vpn tech) which allows creating an IPv6 address (or IPv4 if you want) that "belongs" to each endpoint - so it's effectively static even though the endpoints are moving about. I am using this for a variety of things since a couple of years now (syslog, riemann, collectd, rabbitmq and couchdb traffic) and it works very well in general, although I can rely on systems being restarted during "roaming". Perhaps you can find a similar sort of solution? A+ Dave _______________________________________________ collectd mailing list [email protected] https://mailman.verplant.org/listinfo/collectd
