Security: Move agent-to-server communication (agent registration and updates) to separate port
At the moment, all agents that utilize Automatic Agent Updates need access to the regular IP address and port of their Checkmk instance in order to register for and download newly baked agents, as well as access to the REST API (new in 2.1, for establishing TLS)
This is the same IP address and port that is used for Checkmk administration, so any usage of the Automatic Agent Update feature currently forces you to expose the entire Checkmk web interface to any agent (and, in most networks, all other devices in the same subnets). Agent registration can instead be done via proxy-register and does not force you to open the port, but for agent updates there is no workaround at the moment.
It should be possible to define a different port for agent-to-server communication in order to clearly differentiate the use cases and allow for a fine-grained firewall policy.
Comments: 3
-
16 Nov, '22
Rick Baranowski MergedAdd option to change port for Checkmk and Bakery to a custom port away from 80 or 443. We currently do this by editing the config files.
-
23 Jun, '23
joerncI strongly second this request. Yes, there are multiple layers of security to protect the administration interface of Checkmk. But usually one layer of protection would be network security by restricting the access to the GUI to hosts of eligible administrators (i.e. firewall rules). But now I have to allow network access to practically every server in my inventory. To forgo automatic agent updates is not a viable solution. Please move the agent update functionality to a different port from the GUI/API.
-
18 Oct, '23
Martin Hirschvogel Admin"Checkmk custom port" (suggested by Rick Baranowski on 2022-11-16), including upvotes (4) and comments (0), was merged into this suggestion.