0

I just used Ansible to monitor my servers with Prometheus, Grafana and Node Exporter. I have one monitoring server (Prometheus) & one webserver (Node Exporter).

I followed a tutorial for the setup. The thing is that it does not provide any information about security. For the moment any one is able to listen on the node_exporter port of my webserver.

I thought about iptable to protect my webserver from external calls on node_exporter port. Then I will only give access to my Promotheus server.

Is it the way to do?

U880D
  • 8,601
  • 6
  • 24
  • 40
Nico
  • 103
  • 1
  • 11

1 Answers1

0

There might be mainly three options

  1. Local or external firewall, as already mentioned in your question
  2. Setting up an encryption proxy (sshified) on your Prometheus Server, which encrypts the outgoing session over SSH to the node_exporter nodes
  3. Setting up an encryption proxy (stunnel) on your Prometheus Nodes, which let you only make an encrypted session, see Authentication and encryption for Prometheus and its exporters

Option 3 can be easily added to the solution of Running node_exporter with Ansible.

Option 2 is also quite simple and can be done via Ansible easily.

Option 1 can be done via Ansible modules available for (local) firewall configuration like firewalld.

There might be more solutions possible like ghostunnel, ...

U880D
  • 8,601
  • 6
  • 24
  • 40