netdata
NetData EXPOSES web dashboard PUBLICLY and ANONYMOUSLY by default, unsecured!
Bug description
This morning I received a notification of new service open on a production machine that no human accessed in months:
In other words, NetData exposed a web service to the public Internet without anyone configuring it! Not only that, but accessing the said port on the production alias exposes the whole dashboard anonymously! WHAT IS GOING ON?!
The dashboard exposes every detail of the machine, it's services, internal name, EVERYTHING!
Our config is completely default, no changes whatsoever:
cat /etc/netdata/netdata.conf
# netdata configuration
#
# You can get the latest version of this file, using:
#
# netdatacli dumpconfig > /etc/netdata/netdata.conf
#
# You can also download it using:
#
# wget -O /etc/netdata/netdata.conf http://localhost:19999/netdata.conf
# or
# curl -o /etc/netdata/netdata.conf http://localhost:19999/netdata.conf
The same applies to netdatacli dumpconfig--it's completely untouched.
Expected behavior
NetData should NOT expose the whole dashboard to the public internet on any machine, and certainly not allow "Skip and see the dashboard anonymously" feature.
Who in their right mind thought it was a good idea to default to fully open?
Steps to reproduce
- Install NetData
- See all your internal details harvested
- Despair
Screenshots
No response
Error Logs
No response
Desktop
OS: [e.g. iOS] Browser [e.g. chrome, safari] Browser Version [e.g. 22]
Additional context
NetData often bombards with notifications about server load being over 90% and going down hundreds of times per day, never learning to see the behavior is normal.
But send an email saying "Your dashboard is anonymously exposed to the public internet"? Never! Why bother with that?
@dsimunic : This has been the Netdata default behaviour forever. When you access the local dashboards, we do prompt a warning about your dashboard being open to the public network - if you do not have a protected network.
What we do have of course is a way to change the default configurations and secure your Netdata install: https://learn.netdata.cloud/docs/netdata-agent/configuration/securing-agents/
We have also added a new configuration parameter under the [web] section of netdata.conf for you to disable unauthenticated access to your dashboards:
bearer token protection = yes.
You also have a way of completely disabling the local dashboard as explained in the documentation link above.
Hope this helps.
Thanks for taking the time to comment.
Indeed, one can apply the changes you mention. Kinda weird to hide behind “default behavior forever” to make people work more, with some even being surprised by it. For one, I was surprised and shocked. Made me work extra, as on most machines we had this installed automatically, so nobody read the prompt.
There are a lot of examples from life where people used to say "it’s been our default behavior forever": blood letting with leeches for 2000 years; curing ulcer with herbs and blood letting for 3500 years…
Defaults have power; in our modern world one would be well advised to default to the most secure.
On 26 Mar 2025, at 19:41, Satyadeep Ashwathnarayana @.***> wrote:
sashwathn left a comment (netdata/netdata-cloud#1075) @dsimunic : This has been the Netdata default behaviour forever. When you access the local dashboards, we do prompt a warning about your dashboard being open to the public network - if you do not have a protected network.
What we do have of course is a way to change the default configurations and secure your Netdata install: https://learn.netdata.cloud/docs/netdata-agent/configuration/securing-agents/
We have also added a new configuration parameter under the [web] section of netdata.conf for you to disable unauthenticated access to your dashboards: bearer token protection = yes.
Hope this helps.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.
https://github.com/dsimunic https://learn.netdata.cloud/docs/netdata-agent/configuration/securing-agents/ https://github.com/netdata/netdata-cloud/issues/1075#issuecomment-2755429889 https://github.com/notifications/unsubscribe-auth/AAJGPWWUBEFOJCCKR3SK5W32WLYETAVCNFSM6AAAAABXLBEYKGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONJVGQZDSOBYHE
sashwathn left a comment (netdata/netdata-cloud#1075) https://github.com/netdata/netdata-cloud/issues/1075#issuecomment-2755429889 @dsimunic https://github.com/dsimunic : This has been the Netdata default behaviour forever. When you access the local dashboards, we do prompt a warning about your dashboard being open to the public network - if you do not have a protected network.
What we do have of course is a way to change the default configurations and secure your Netdata install: https://learn.netdata.cloud/docs/netdata-agent/configuration/securing-agents/
We have also added a new configuration parameter under the [web] section of netdata.conf for you to disable unauthenticated access to your dashboards: bearer token protection = yes.
Hope this helps.
— Reply to this email directly, view it on GitHub https://github.com/netdata/netdata-cloud/issues/1075#issuecomment-2755429889, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJGPWWUBEFOJCCKR3SK5W32WLYETAVCNFSM6AAAAABXLBEYKGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONJVGQZDSOBYHE. You are receiving this because you were mentioned.
@dsimunic : Thanks for your feedback.
We are planning to change the defaults to authenticated access only but we know the pushback that will come from the community. :)
I would like to connect with you to understand your use-case and tweak our defaults. Let me know if we can get on a short call early next week?
It’s hard to imagine that someone serious about paying for your services would push back on secure defaults. But then, 🤷♂️.
Our use case is simple: 20-ish bare metal servers (few main weab/db workhorses, few for redundancy, a dozen drones), almost fully hands-off ops-wise. Lots of uneven traffic and user data, and we simply want to know if we’re running out of disk space. Netdata was hands down the easiest way to solve that problem. Sadly deceptively easy, with footguns included.
I’d say make it easy for me to get going and not think about setting up, just enjoy the dashboard. If the project grows, it will be a no brainer to go paid. Everybody loves a tool that knows how get out of the way.
No problem to talk on European time.
On 27 Mar 2025, at 09:26, Satyadeep Ashwathnarayana @.***> wrote:
sashwathn left a comment (netdata/netdata-cloud#1075) @dsimunic : Thanks for your feedback. We are planning to change the defaults to authenticated access only but we know the pushback that will come from the community. :) I would like to connect with you to understand your use-case and tweak our defaults. Let me know if we can get on a short call early next week?
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.
https://github.com/dsimunic https://github.com/netdata/netdata-cloud/issues/1075#issuecomment-2757166603 https://github.com/notifications/unsubscribe-auth/AAJGPWUYPAHIV5IT3H4C6HT2WOY4FAVCNFSM6AAAAABXLBEYKGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONJXGE3DMNRQGM
sashwathn left a comment (netdata/netdata-cloud#1075) https://github.com/netdata/netdata-cloud/issues/1075#issuecomment-2757166603 @dsimunic https://github.com/dsimunic : Thanks for your feedback. We are planning to change the defaults to authenticated access only but we know the pushback that will come from the community. :) I would like to connect with you to understand your use-case and tweak our defaults. Let me know if we can get on a short call early next week?
— Reply to this email directly, view it on GitHub https://github.com/netdata/netdata-cloud/issues/1075#issuecomment-2757166603, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJGPWUYPAHIV5IT3H4C6HT2WOY4FAVCNFSM6AAAAABXLBEYKGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDONJXGE3DMNRQGM. You are receiving this because you were mentioned.