CheckMK 2.1 - Site agent receiver listens on all interfaces/IP's

Notausstieg0309 · May 26, 2022, 8:34am

Hey there,

I have upgrade one of my CheckMK installations to CheckMK 2.1. I heard about the significant changes of the agent communication introduced with CheckMK 2.1 from the YouTube channel.

After updating my site to 2.1, CheckMK exposes port 8000 to ALL interfaces/IP’s on my machine:

As this machine is exposed to public internet directly, my system-wide apache makes CheckMK available only on an dedicated internal IP interface via Virtual-Host definition.

So I went with omd config to check, If I’m able to change the listening address for the Agent Receiver service as well, but unfortunatly no success:

You can only change the port, but not the listening address.

Is there any way to change the listening address, as I don’t want to expose the agent receiver service to public internet? I did not found any information on this.

For now, I have disabled the agent receiver in omd config

Thank you

Best Regards
Markus

mschlenker · May 26, 2022, 8:46am

Currently limiting the agent receiver to certain IPs is only possible by editing its startup script. You might use iptables to limit access until this is configurable. Remember that you need the agent receiver in pull mode (push mode is not yet available) to register agents for the new TLS mode. But this can also be done on the CMK server in “proxy mode”. In this case you can limit access to localhost.

Flolo · May 26, 2022, 1:41pm

Hi,

i would just add a specific firewall rule to block the traffic for port 8000 on your public IP. I would think/hope you already have a firewall configured on your server if it’s facing the Internet directly.

BR
Flo

system · May 26, 2023, 1:41pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.