Unrestricted access to Prometheus
Description
Prometheus is an open-source monitoring system and time series database commonly used to collect and store metrics from applications and infrastructure.
The Prometheus web interface is accessible without any authentication mechanism, allowing unrestricted access to monitoring data, configuration details, and administrative functions.
Remediation
Implement authentication and access controls for the Prometheus interface using one of the following methods:
Option 1: Reverse Proxy Authentication (Recommended)
Deploy a reverse proxy (such as Nginx or Apache) in front of Prometheus to enforce authentication. When using a subpath, you must configure Prometheus with the appropriate flags to ensure proper operation.
Example Nginx configuration with basic authentication:
location /prometheus/ {
auth_basic "Prometheus";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:9090/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
When using a subpath, start Prometheus with the required configuration flags:
prometheus --web.external-url=http://your-domain.com/prometheus/ \
--web.route-prefix=/
Option 2: Network-Level Restrictions
Restrict access to Prometheus using firewall rules or network policies to allow connections only from trusted IP addresses or internal networks.
Option 3: VPN or SSH Tunneling
Require users to connect through a VPN or SSH tunnel to access the Prometheus interface, ensuring only authenticated users on the private network can reach the service.