On Wed, 16 Jan 2019, at 16:35, elliot.li.t...@gmail.com wrote:
> On 1/15/19 1:59 PM, Ricardo J. Barberis wrote:
> > El Martes 15/01/2019 a las 17:30, elliot.li.t...@gmail.com escribió:
> >> Is it safe to expose a collectd network listening port to the internet?
> >> I will have other machines running collectd and sending data to this
> >> listener over the internet. I'll enable signature and encryption.
> >>
> >> I've searched the CVE database for collectd and only found two
> >> vulnerabilities (CVE-2016-6254, CVE-2017-7401) that seem remotely
> >> exploitable. For now I have the impression that the network parsing part
> >> of collectd seems safe.
> >>
> >> Any comments are welcome. Thank you!
> > 
> > The obvious, but I'd also filter via iptables/ip6tables which IPs can 
> > connect
> > to collectd's port, just to be on the safe side.
> 
> I could. But I'm accepting incoming connections from users that move 
> around, so I wouldn't be able to restrict the IPs too much.

I solve this by using zerotier.com (p2p vpn tech) which allows creating an
IPv6 address (or IPv4 if you want) that "belongs" to each endpoint - so it's
effectively static even though the endpoints are moving about.

I am using this for a variety of things since a couple of years now (syslog,
riemann, collectd, rabbitmq and couchdb traffic) and it works very well in
general, although I can rely on systems being restarted during "roaming".

Perhaps you can find a similar sort of solution?

A+
Dave

_______________________________________________
collectd mailing list
collectd@verplant.org
https://mailman.verplant.org/listinfo/collectd

Reply via email to