[pkg-go] Bug#962476: prometheus-node-exporter: Please only listen on localhost in default setup

Witold Baryluk witold.baryluk at gmail.com
Mon Jun 8 15:41:27 BST 2020 

Package: prometheus-node-exporter
Version: 0.18.1+ds-2
Severity: normal

I think it would be reasonable to make prometheus-node-exporter only
listen on loopback interface by default for security reasons.

Something like this in /etc/default/prometheus-node-exporter

ARGS='--web.listen-address="[::1]:9100"'


Yes, main use of the prometheus-node-exporter is to access it from the
other machine, but also there are situtations where the this package
could be installed, and not used, and just sit there possibly unupdated
for long time.

Also, sometimes people install it on routers with multiple interfaces,
and start using it as is, because it does work, but that leaves it also
accessible from other interfaces, which is not desirable.

By changing default in debian to only listen on loopback, will force
people (and me) to actually specify manually what they want before using
it blindly.

I understand this can make some setup more tedious (install package +
edit file + restart the deamon) for some, but I think it is worth for a
bit of extra concious security.



Thanks!


-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-1-amd64 (SMP w/32 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages prometheus-node-exporter depends on:
ii  libc6         2.30-8
ii  systemd-sysv  245.5-3

Versions of packages prometheus-node-exporter recommends:
ii  dbus                                 1.12.18-1
ii  prometheus-node-exporter-collectors  0+git20200110.fc91c86-1

prometheus-node-exporter suggests no packages.

-- no debconf information

More information about the Pkg-go-maintainers mailing list