Only your org can guide you properly. If you are violating one of the org's policies then they need to tell you what the policy is and how to comply.
But my guess would be: if you're running an open Prometheus on port 9090, with no authentication, and no TLS encryption, then they don't like you running an open service on their network. To fix this, you can configure Prometheus itself to do HTTP basic authentication, and also to do TLS encryption (to protect the authentication credentials): https://prometheus.io/docs/prometheus/latest/configuration/https/ With HTTP Basic authentication you have a static username/password file. Anyone accessing the UI will need to know one of a username/password from that file. However, you'll need to manually add and remove users when they join and leave the org. If you want a wider range of authentication options, for example OpenID Connect, then you can sit Prometheus behind a reverse proxy of your choice, configured how you like. You then configure prometheus to listen only on 127.0.0.1 so it cannot be directly contacted across the network. The same applies to any exporters you use, like JMX Exporter. If they are accessed over the network from another host then you'll probably want to secure them, such that they can only be accessed by prometheus itself. There are several ways to do this; TLS and client certificates is one. Again, you can use a reverse proxy if required, if the exporter itself doesn't support authenticated access. This one is very lightweight and specifically designed to drop in front of exporters: https://github.com/QubitProducts/exporter_exporter It also includes some examples of how to configure TLS with client certificates: https://github.com/QubitProducts/exporter_exporter?tab=readme-ov-file#tls-configuration But any normal reverse proxy you'd normally use is also fine (apache, nginx, traefik, caddy... etc) On Thursday, 10 July 2025 at 15:57:20 UTC+1 Vhee Van wrote: > Hi Team, > > I have installed Prometheus 3.2.1 with JMX Exporter on a few machines > where my java based applications (Jira Confluence) are running. After a few > days, my Org identified the endpoints of Prometheus as Vulnerable for > attacks as they transfer sensitive information like CPU, Memory and other > machine statistics via the port (9090 in my case ) I have assigned for > Prometheus Service. > > Have anyone faced this before and what was the remediation action you > took, but still using your Prometheus on the same port ? > > Thanks! > Vhee Van > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-users+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/prometheus-users/6fd95f77-e400-4761-800e-8b6c68ef7935n%40googlegroups.com.
