Netdata is a distributed monitoring system that collects real-time metrics from systems and applications. As a host-level monitoring tool with web dashboards and API access, Netdata can expose sensitive system information if not properly secured. This guide covers security measures for production Netdata deployments.
Netdata architecture includes several security-sensitive components:
Key security concerns include dashboard exposure, API access control, streaming security, and sensitive data leakage through metrics.
Configure firewall rules for Netdata:
# Netdata default port (19999)
ufw allow from 10.0.0.0/8 to any port 19999 proto tcp
ufw allow from 192.168.1.0/24 to any port 19999 proto tcp
# Block external access
ufw deny from any to any port 19999 proto tcp
# Streaming port (if using parent nodes)
ufw allow from 10.0.1.0/24 to any port 19999 proto tcp
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: netdata-network-policy
spec:
podSelector:
matchLabels:
app: netdata
ingress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 19999
Bind Netdata to specific interfaces:
# /etc/netdata/netdata.conf
[web]
bind to = 127.0.0.1:19999
# Or for internal network only
# bind to = 10.0.1.100:19999
# Disable web server if using reverse proxy
# web files without server = no
For containerized deployments:
# docker-compose.yml
services:
netdata:
ports:
- "127.0.0.1:19999:19999"
network_mode: host # Or specific network
Configure HTTP basic auth with reverse proxy:
Nginx Configuration:
location / {
auth_basic "Netdata Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:19999;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
Apache Configuration:
<Location />
AuthType Basic
AuthName "Netdata Access"
AuthUserFile /etc/netdata/.htpasswd
Require valid-user
</Location>
Use Netdata Cloud for centralized authentication:
# /etc/netdata/cloud.conf
[global]
enabled = yes
# Token from Netdata Cloud
token = ${NETDATA_CLOUD_TOKEN}
Netdata Cloud provides RBAC features:
| Role | Permissions |
|---|---|
| Member | View dashboards and metrics |
| Contributor | Create dashboards and alerts |
| Admin | Full access including user management |
| Owner | Complete control including billing |
Netdata Cloud supports SSO:
Configure in Netdata Cloud dashboard under Team Settings.
Secure API access with tokens:
# Generate API token (Netdata Cloud)
curl -X POST \
-H "Authorization: Bearer ${CLOUD_TOKEN}" \
https://app.netdata.cloud/api/v1/tokens
Configure TLS at reverse proxy level:
Nginx SSL Configuration:
server {
listen 443 ssl http2;
server_name netdata.company.com;
ssl_certificate /etc/nginx/certs/netdata.crt;
ssl_certificate_key /etc/nginx/certs/netdata.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src * data:; connect-src 'self'" always;
location / {
auth_basic "Netdata";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:19999;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Secure parent-child streaming:
# /etc/netdata/stream.conf
[10.0.1.0/24]
enabled = yes
allow from = 10.0.1.0/24
# TLS configuration
ssl key = /etc/netdata/ssl/stream.key
ssl cert = /etc/netdata/ssl/stream.crt
ssl ca cert = /etc/netdata/ssl/ca.crt
Child node configuration:
# /etc/netdata/stream.conf
[stream]
enabled = yes
destination = parent.company.com:19999
ssl key = /etc/netdata/ssl/child.key
ssl cert = /etc/netdata/ssl/child.crt
ssl ca cert = /etc/netdata/ssl/ca.crt
Generate certificates for streaming:
# Create CA
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
# Create server certificate
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Create client certificate
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
Restrict API endpoint access:
| Endpoint | Risk Level | Access Control |
|---|---|---|
/api/v1/data |
Medium | Authenticated users |
/api/v1/info |
Low | Authenticated users |
/api/v1/alarms |
Medium | Authenticated users |
/api/v1/config |
High | Admin only |
/api/v1/badge.svg |
Low | Public (configurable) |
/netdata.conf |
Critical | Admin only |
Disable sensitive endpoints:
# /etc/netdata/netdata.conf
[web]
# Disable config endpoint
allow from = 127.0.0.1
# Disable badges if not needed
enable badges = no
Configure dashboard security:
# /etc/netdata/netdata.conf
[web]
# Enable authentication
auth enabled = yes
# Session settings
sessions max = 100
session timeout = 3600
# Restrict access
allow from = 10.0.0.0/8 192.168.0.0/16
Filter sensitive metrics:
# /etc/netdata/netdata.conf
[plugins]
# Disable sensitive collectors
proc = yes
cgroups = yes
# Disable if not needed
# go.d = no
# python.d = no
# Hide specific charts
[chart:system.ipv4_packets]
enabled = no
[chart:system.interrupts]
enabled = no
Control which nodes can stream:
# /etc/netdata/stream.conf
[10.0.1.0/24]
enabled = yes
allow from = 10.0.1.0/24
# Deny all others by default
[10.0.2.0/24]
enabled = no
Prevent sensitive data exposure:
# /etc/netdata/go.d/mysql.conf
# Mask sensitive query data
modules:
- name: mysql
collectors:
- name: local
dsn: "user=netdata@tcp(localhost:3306)/"
options:
skip_query_stats: true
Netdata stores minimal data locally:
/var/cache/netdata/etc/netdata/var/log/netdataSecure these directories:
# Set restrictive permissions
chown -R netdata:netdata /var/cache/netdata
chmod 700 /var/cache/netdata
chown -R netdata:netdata /etc/netdata
chmod 750 /etc/netdata
# Enable filesystem encryption if needed
# For sensitive deployments, use encrypted volumes
Secure sensitive configuration:
# /etc/netdata/go.d/mysql.conf
# Use environment variables
modules:
- name: mysql
collectors:
- name: local
dsn: "${MYSQL_DSN}"
For Kubernetes:
apiVersion: v1
kind: Secret
metadata:
name: netdata-secrets
type: Opaque
data:
mysql-dsn: <base64-encoded>
cloud-token: <base64-encoded>
Configure retention policies:
# /etc/netdata/netdata.conf
[db]
# Retention period
retention = 7d
# Memory mode (dbengine for persistence)
mode = dbengine
# Disk space limit
page cache size = 256 MiB
dbengine disk space = 1 GiB
Enable logging:
# /etc/netdata/netdata.conf
[global]
# Log level
debug flags = 0x00000000
# Log facility
log facility = daemon
# Log file
log file = /var/log/netdata/netdata.log
Configure reverse proxy access logging:
access_log /var/log/nginx/netdata_access.log combined;
log_format combined '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'rt=$request_time';
Monitor Netdata for security events:
# /etc/netdata/health.d/netdata.conf
[alarms]
# Alert on high API request rate
- name: api_high_rate
on: netdata.api1.requests
lookup: max -1m unaligned of requests
every: 1m
warn: $this > 1000
crit: $this > 5000
info: API request rate is too high
to: admin
# Alert on authentication failures
- name: auth_failures
on: netdata.web.access_denied
lookup: sum -5m unaligned of access_denied
every: 5m
warn: $this > 10
crit: $this > 50
info: Multiple authentication failures detected
to: security-team
Forward logs to SIEM:
# /etc/rsyslog.d/netdata.conf
:programname, isequal, "netdata" /var/log/netdata/syslog.log
:programname, isequal, "netdata" @siem.company.com:514