Security: metrics publicly exposed by default

Question

Security: metrics publicly exposed by default

dokterbob opened this issue 4 years ago · 2 comments

By default, the Prometheus metrics and pprof HTTP server are listening on 0.0.0.0, which is likely to cause information leaks and/or might expose attack vectors.

As this daemon is to be run on public addresses by default, and uses randomly picked ports for the heads, this default of publicly exposing non-essential services seems a bad design from a security point of view.

In addition, it is inconsistent with the other listeners which default to 127.0.0.1 (as they should).

Answer 1 · 2020-09-05T12:42:45.000Z

🙏 would you be up for submitting a PR to fix?

Answer 2 · 2020-09-06T11:06:39.000Z

While I'm at it, I'll also change the port to something less common than 8888, to prevent conflicts.