Package: prometheus-node-exporter Version: 0.18.1+ds-2 Severity: normal I think it would be reasonable to make prometheus-node-exporter only listen on loopback interface by default for security reasons.
Something like this in /etc/default/prometheus-node-exporter ARGS='--web.listen-address="[::1]:9100"' Yes, main use of the prometheus-node-exporter is to access it from the other machine, but also there are situtations where the this package could be installed, and not used, and just sit there possibly unupdated for long time. Also, sometimes people install it on routers with multiple interfaces, and start using it as is, because it does work, but that leaves it also accessible from other interfaces, which is not desirable. By changing default in debian to only listen on loopback, will force people (and me) to actually specify manually what they want before using it blindly. I understand this can make some setup more tedious (install package + edit file + restart the deamon) for some, but I think it is worth for a bit of extra concious security. Thanks! -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.6.0-1-amd64 (SMP w/32 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages prometheus-node-exporter depends on: ii libc6 2.30-8 ii systemd-sysv 245.5-3 Versions of packages prometheus-node-exporter recommends: ii dbus 1.12.18-1 ii prometheus-node-exporter-collectors 0+git20200110.fc91c86-1 prometheus-node-exporter suggests no packages. -- no debconf information
