Only your org can guide you properly. If you are violating one of the org's 
policies then they need to tell you what the policy is and how to comply.

But my guess would be: if you're running an open Prometheus on port 9090, 
with no authentication, and no TLS encryption, then they don't like you 
running an open service on their network.

To fix this, you can configure Prometheus itself to do HTTP basic 
authentication, and also to do TLS encryption (to protect the 
authentication credentials):
https://prometheus.io/docs/prometheus/latest/configuration/https/
With HTTP Basic authentication you have a static username/password file. 
Anyone accessing the UI will need to know one of a username/password from 
that file. However, you'll need to manually add and remove users when they 
join and leave the org.

If you want a wider range of authentication options, for example OpenID 
Connect, then you can sit Prometheus behind a reverse proxy of your choice, 
configured how you like. You then configure prometheus to listen only on 
127.0.0.1 so it cannot be directly contacted across the network.

The same applies to any exporters you use, like JMX Exporter. If they are 
accessed over the network from another host then you'll probably want to 
secure them, such that they can only be accessed by prometheus itself. 
There are several ways to do this; TLS and client certificates is one. 
Again, you can use a reverse proxy if required, if the exporter itself 
doesn't support authenticated access.

This one is very lightweight and specifically designed to drop in front of 
exporters:
https://github.com/QubitProducts/exporter_exporter
It also includes some examples of how to configure TLS with client 
certificates:
https://github.com/QubitProducts/exporter_exporter?tab=readme-ov-file#tls-configuration
But any normal reverse proxy you'd normally use is also fine (apache, 
nginx, traefik, caddy... etc)

On Thursday, 10 July 2025 at 15:57:20 UTC+1 Vhee Van wrote:

> Hi Team,
>
> I have installed Prometheus 3.2.1 with JMX Exporter on a few machines 
> where my java based applications (Jira Confluence) are running. After a few 
> days, my Org identified the endpoints of Prometheus as Vulnerable for 
> attacks as they transfer sensitive information like CPU, Memory and other 
> machine statistics via the port (9090 in my case ) I have assigned for 
> Prometheus Service.
>
> Have anyone faced this before and what was the remediation action you 
> took, but still using your Prometheus on the same port ? 
>
> Thanks!
> Vhee Van
>

-- 
You received this message because you are subscribed to the Google Groups 
"Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prometheus-users+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/prometheus-users/6fd95f77-e400-4761-800e-8b6c68ef7935n%40googlegroups.com.

Reply via email to