Glances is a cross-platform system monitoring tool that provides a curses-based or web interface for real-time system metrics. As a tool with access to detailed system information, Glances requires proper security configuration to prevent information disclosure and unauthorized access. This guide covers security measures for production Glances deployments.
Glances architecture includes these security-sensitive components:
Key security concerns include web interface exposure, API access control, system information disclosure, and export credential protection.
Configure firewall rules for Glances:
# Glances web server (default port 61208)
ufw allow from 10.0.0.0/8 to any port 61208 proto tcp
ufw allow from 10.0.0.0/8 to any port 61209 proto tcp # HTTPS
# Block external access
ufw deny from any to any port 61208 proto tcp
ufw deny from any to any port 61209 proto tcp
# SSH tunnel for Glances access
ssh -L 61208:localhost:61208 admin@glances-server
# Then access http://localhost:61208
Configure Glances binding:
# Run Glances web server bound to localhost
glances -w --bind 127.0.0.1 --port 61208
# Or for specific interface
glances -w --bind 10.0.1.100 --port 61208
Configure reverse proxy:
# /etc/nginx/sites-available/glances
server {
listen 80;
server_name glances.company.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name glances.company.com;
ssl_certificate /etc/nginx/certs/glances.crt;
ssl_certificate_key /etc/nginx/certs/glances.key;
location / {
proxy_pass http://127.0.0.1:61208;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Configure authentication via reverse proxy:
Nginx with Basic Auth:
location / {
auth_basic "Glances Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:61208;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
Manage users:
# Create admin user
htpasswd -c /etc/nginx/.htpasswd admin
# Add additional users
htpasswd /etc/nginx/.htpasswd username
Glances has limited built-in authentication. Use reverse proxy for proper auth:
# /etc/glances/glances.conf
[server]
# Bind to localhost only
host=127.0.0.1
port=61208
# Disable if not needed
# disable_webui=false
Secure Glances API:
# Glances API endpoints
# GET /api/2/mem - Memory info
# GET /api/2/cpu - CPU info
# GET /api/2/fs - Filesystem info
# Restrict via reverse proxy
location /api/ {
auth_basic "API Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:61208;
}
Secure SSH access for remote Glances:
# Use SSH keys instead of passwords
ssh-keygen -t ed25519
# Configure SSH server
# /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
Configure TLS for Glances web server:
# Generate certificate
openssl req -new -x509 -days 365 -nodes \
-out /etc/glances/glances.crt \
-keyout /etc/glances/glances.key \
-subj "/CN=glances.company.com/O=Company"
# Run with TLS
glances -w --https --certfile /etc/glances/glances.crt --keyfile /etc/glances/glances.key
Configure HTTPS via reverse proxy:
# /etc/nginx/sites-available/glances
server {
listen 443 ssl http2;
server_name glances.company.com;
ssl_certificate /etc/nginx/certs/glances.crt;
ssl_certificate_key /etc/nginx/certs/glances.key;
ssl_trusted_certificate /etc/nginx/certs/ca-bundle.crt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
location / {
auth_basic "Glances Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:61208;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Generate and manage certificates:
# Use Let's Encrypt
certbot --nginx -d glances.company.com
# Or generate self-signed for internal use
openssl req -new -x509 -days 365 -nodes \
-out /etc/nginx/certs/glances.crt \
-keyout /etc/nginx/certs/glances.key \
-subj "/CN=glances.company.com"
Configure rate limiting:
# Nginx rate limiting for Glances
limit_req_zone $binary_remote_addr zone=glances:10m rate=10r/s;
location / {
limit_req zone=glances burst=20 nodelay;
auth_basic "Glances Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:61208;
}
Disable sensitive plugins:
# /etc/glances/glances.conf
[quicklook]
# Disable if not needed
# disable=true
[folders]
# Disable folder monitoring
disable=true
[processlist]
# Limit process information
disable=true
Limit exposed system information:
# Run with limited plugins
glances -w --disable-plugin folders --disable-plugin processlist
# Or configure in glances.conf
[processlist]
disable=true
[folders]
disable=true
[network]
disable=false
Secure export modules:
# /etc/glances/glances.conf
[csv]
# Secure CSV export path
path=/var/log/glances/exports
[influxdb]
# Use environment variables for credentials
host=${INFLUXDB_HOST}
port=${INFLUXDB_PORT}
user=${INFLUXDB_USER}
password=${INFLUXDB_PASSWORD}
[prometheus]
# Restrict export
port=61209
Protect Glances configuration:
# Set restrictive permissions
chown root:root /etc/glances/glances.conf
chmod 644 /etc/glances/glances.conf
# Encrypt sensitive configuration
gpg -c /etc/glances/glances.conf
Secure export credentials:
# Use environment variables
export INFLUXDB_PASSWORD="secure_password"
export PROMETHEUS_PASSWORD="secure_password"
# Or use external secrets file
# Source in systemd service
Systemd service with secrets:
# /etc/systemd/system/glances.service
[Service]
EnvironmentFile=/etc/glances/secrets
ExecStart=/usr/bin/glances -w --bind 127.0.0.1
Secure Glances logs:
# Set restrictive permissions
chown root:adm /var/log/glances
chmod 750 /var/log/glances
# Configure log rotation
cat > /etc/logrotate.d/glances << EOF
/var/log/glances/*.log {
weekly
rotate 4
compress
delaycompress
missingok
notifempty
create 640 root adm
}
EOF
Run Glances securely:
# Create dedicated user
useradd -r -s /bin/false glances
# Run as dedicated user
sudo -u glances glances -w --bind 127.0.0.1
Enable logging:
# /etc/glances/glances.conf
[logging]
level=INFO
file=/var/log/glances/glances.log
Configure reverse proxy access logging:
# /etc/nginx/sites-available/glances
access_log /var/log/nginx/glances_access.log combined;
error_log /var/log/nginx/glances_error.log warn;
Monitor Glances for security events:
#!/bin/bash
# /usr/local/bin/check-glances-security.sh
# Check for high request rate
REQUEST_RATE=$(grep -c "$(date +%H)" /var/log/nginx/glances_access.log 2>/dev/null || echo 0)
if [ "$REQUEST_RATE" -gt 1000 ]; then
echo "WARNING: High request rate to Glances"
exit 1
fi
# Check for failed authentication
FAILED_AUTH=$(grep -c "401" /var/log/nginx/glances_access.log 2>/dev/null || echo 0)
if [ "$FAILED_AUTH" -gt 20 ]; then
echo "CRITICAL: Multiple authentication failures"
exit 2
fi
Forward logs to SIEM:
# /etc/rsyslog.d/glances.conf
/var/log/nginx/glances_access.log @siem.company.com:514