Connecting to satellites over public internet

Hey all,

I’m about to monitor some off-premise machines, each with it’s own agent installed. My first thought was to have the icinga-connection from the master to the agents encapsulated inside SSH or VPN, but is this necessary? Since icinga’s connections are TLS-encrypted and (as far as I understood) communication can’t be initiated without valid certificate, would it be secure to open port 5665 on the agent’s machine to the public internet without additional layer of encryption and to rely on icinga’s encryption/authentication by itself?

Thanks in advance,

I think it is possible but not recommended, here my thoughts:

The one thing to consider is the icinga api access via username/password on the icinga master node.
Icinga2 machines talk to each other over api, an icinga-master node has api accounts, api accounts can have weak passwords.
I have seen Icinga machines with passwords copied from the online tutorials :slight_smile:

If someone can access you icinga master node and make changes over api, he can do/control/change/access everything the icinga service user is allowed to do on the client machines. The API allows you to add commands / services, change execution time, so if someone has access to your master node you are done (e.g. reverse shell, rm -rf /)

Applications are build by humans and humans make mistakes, and that is ok.
But history showed us that bugs can happen and can stay undetected for a long time.
Heartbleed, CVE-2020-10188 on telnet,

Put that Icinga Satellite in a VPN Tunnel / SSH Tunnel, and allow only port 5665 TCP passing to Icinga master through the tunnel. It saves you a lot of nightmares and panic attacks.

Or the other way:
your communication happens over a untrusted network (internet).
you can make communication between icinga2 satellite and icinga master node more secure. Think of reasons you you shouldn’t make it more secure. There are not that many…

Thanks! Although I “only” considered to open up the ports of the agents, this is sound advice and I ended up wrapping the connection into a Wireguard VPN – which I can heartily recommend for this purpose since it appears to be much easier to setup/operate than the SSH or VPNs I’ve been using before.

1 Like