NetXMS is an open-source network and infrastructure monitoring system with a feature set including auto-discovery, performance monitoring, and alerting. As a system with privileged access to infrastructure data and configuration capabilities, NetXMS requires proper security hardening. This guide covers security measures for production NetXMS deployments.
NetXMS architecture includes these security-sensitive components:
Key security concerns include console authentication, API access control, agent security, database protection, and SNMP credential management.
Configure firewall rules for NetXMS:
# NetXMS Server
ufw allow from 10.0.0.0/8 to any port 4700 proto tcp # Server port
ufw allow from 10.0.0.0/8 to any port 4701 proto tcp # Agent port
# NetXMS Web Console
ufw allow from 10.0.0.0/8 to any port 80 proto tcp
ufw allow from 10.0.0.0/8 to any port 443 proto tcp
# Database
ufw allow from 127.0.0.1 to any port 5432 proto tcp # PostgreSQL
ufw allow from 127.0.0.1 to any port 3306 proto tcp # MySQL
# SNMP traps
ufw allow from 10.0.0.0/8 to any port 162 proto udp
# Block external access
ufw deny from any to any port 4700 proto tcp
ufw deny from any to any port 4701 proto tcp
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: netxms-network-policy
spec:
podSelector:
matchLabels:
app: netxms-server
ingress:
- from:
- namespaceSelector:
matchLabels:
name: monitoring
ports:
- protocol: TCP
port: 4700
- protocol: TCP
port: 4701
Configure NetXMS server binding:
# /etc/netxmsd.conf
ListenAddress=10.0.1.100
ListenPort=4700
AgentListenPort=4701
# Database connection
DBDriver=postgresql
DBServer=localhost
DBName=netxms
DBLogin=netxms
DBPassword=${DB_PASSWORD}
Configure web console binding:
# /etc/nxweb.conf
ListenAddress=127.0.0.1
ListenPort=8080
# Or for specific interface
# ListenAddress=10.0.1.100
# ListenPort=80
Configure NetXMS users:
User Categories:
- Administrator: Full system access
- User: Standard monitoring access
- Guest: Read-only access
- System: Service accounts
# Configure in NetXMS Console:
# User Management → Users
Configure RBAC:
Permission Levels:
- Full Access: All operations
- Modify: Create/edit/delete objects
- View: Read-only access
- Execute: Run scripts and commands
- Manage Users: User administration
# Configure in NetXMS Console:
# User Management → Roles
Configure LDAP authentication:
# /etc/netxmsd.conf
LDAPEnabled=yes
LDAPServer=ldap.company.com
LDAPPort=636
LDAPUseSSL=yes
LDAPBindDN=cn=netxms,ou=services,dc=company,dc=com
LDAPBindPassword=${LDAP_PASSWORD}
LDAPSearchBase=dc=company,dc=com
LDAPSearchFilter=(objectClass=inetOrgPerson)
LDAPUidAttribute=uid
Configure AD authentication:
# /etc/netxmsd.conf
LDAPEnabled=yes
LDAPServer=dc.company.com
LDAPPort=636
LDAPUseSSL=yes
LDAPBindDN=cn=netxms,ou=services,dc=company,dc=com
LDAPBindPassword=${AD_PASSWORD}
LDAPSearchBase=dc=company,dc=com
LDAPSearchFilter=(&(objectClass=user)(objectCategory=person))
LDAPUidAttribute=sAMAccountName
LDAPGroupAttribute=memberOf
Enable two-factor authentication:
Configure in NetXMS Console:
- System → Settings → Authentication
- Enable Two-Factor Authentication
- Configure TOTP or SMS provider
Configure TLS for NetXMS server:
# /etc/netxmsd.conf
# Server certificate
ServerCert=/etc/netxms/ssl/server.crt
ServerKey=/etc/netxms/ssl/server.key
CACert=/etc/netxms/ssl/ca.crt
# Require client certificates
RequireClientCert=yes
Configure TLS for agent communication:
# /etc/nxagentd.conf
MasterServer=10.0.1.100
MasterPort=4701
# TLS configuration
UseSSL=yes
CertFile=/etc/netxms/ssl/agent.crt
KeyFile=/etc/netxms/ssl/agent.key
CACert=/etc/netxms/ssl/ca.crt
Generate agent certificates:
# On NetXMS server
nxcerttool --generate-agent-cert --hostname agent-hostname
# Copy certificates to agent
scp agent.crt agent.key ca.crt agent-hostname:/etc/netxms/ssl/
Configure HTTPS for web console:
# /etc/nginx/sites-available/netxms
server {
listen 443 ssl http2;
server_name netxms.company.com;
ssl_certificate /etc/nginx/certs/netxms.crt;
ssl_certificate_key /etc/nginx/certs/netxms.key;
ssl_protocols TLSv1.2 TLSv1.3;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Secure NetXMS API access:
| Endpoint | Risk Level | Access Control |
|---|---|---|
GET /api/objects |
Low | Authenticated users |
GET /api/events |
Low | Authenticated users |
POST /api/objects |
High | Admin only |
PUT /api/objects/{id} |
High | Admin only |
DELETE /api/objects/{id} |
Critical | Admin only |
POST /api/scripts/execute |
Critical | Admin only |
Implement API authentication:
# Use API token
curl -H "X-Auth-Token: ${API_TOKEN}" \
https://netxms.company.com/api/objects
Configure console security:
# /etc/nxweb.conf
# Session settings
SessionTimeout=3600
SecureCookies=yes
# Access control
AllowedIPs=10.0.0.0/8,192.168.0.0/16
Restrict script execution:
Configure in NetXMS Console:
- System → Scripts
- Set execution permissions per script
- Restrict to specific user roles
- Use sandboxed execution where possible
Secure SNMP configuration:
# /etc/netxmsd.conf
# SNMP trap receiver
SNMPTrapReceiver=yes
SNMPTrapPort=162
# SNMP community strings (use SNMPv3 when possible)
SNMPCommunity=${SNMP_COMMUNITY}
# SNMPv3 configuration
SNMPv3Enabled=yes
SNMPv3User=netxms
SNMPv3AuthProtocol=SHA
SNMPv3AuthPassword=${SNMP_AUTH_PASSWORD}
SNMPv3PrivProtocol=AES
SNMPv3PrivPassword=${SNMP_PRIV_PASSWORD}
Secure NetXMS database:
-- Create dedicated database user
CREATE USER netxms WITH PASSWORD '${DB_PASSWORD}';
CREATE DATABASE netxms OWNER netxms;
GRANT ALL PRIVILEGES ON DATABASE netxms TO netxms;
-- Enable SSL requirement
ALTER USER netxms WITH PASSWORD '${DB_PASSWORD}';
Enable database encryption:
-- PostgreSQL with pgcrypto
CREATE EXTENSION IF NOT EXISTS pgcrypto;
-- Or use TDE (Enterprise Edition)
Secure data directory:
# Set restrictive permissions
chown -R netxms:netxms /var/lib/netxms
chmod -R 750 /var/lib/netxms
# Use encrypted filesystem
# Mount /var/lib/netxms on encrypted volume
Secure sensitive configuration:
# /etc/netxmsd.conf
# Use environment variables
DBPassword=${DB_PASSWORD}
LDAPBindPassword=${LDAP_PASSWORD}
# Or use external secrets file
# Include=/etc/netxms/secrets.conf
Protect secrets file:
# Set restrictive permissions
chown root:netxms /etc/netxms/secrets.conf
chmod 640 /etc/netxms/secrets.conf
Secure NetXMS backups:
#!/bin/bash
# Secure backup script
BACKUP_DIR="/secure/backups/netxms"
DATE=$(date +%Y%m%d)
# Database backup
pg_dump netxms > ${BACKUP_DIR}/netxms-db-${DATE}.sql
# Configuration backup
tar -czf ${BACKUP_DIR}/netxms-config-${DATE}.tar.gz /etc/netxms/
# Encrypt backups
gpg -e --recipient security@company.com ${BACKUP_DIR}/netxms-db-${DATE}.sql
gpg -e --recipient security@company.com ${BACKUP_DIR}/netxms-config-${DATE}.tar.gz
# Set restrictive permissions
chmod 600 ${BACKUP_DIR}/netxms-*.gpg
Enable logging:
# /etc/netxmsd.conf
LogLevel=5
LogFile=/var/log/netxms/netxmsd.log
# Audit logging
AuditLogEnabled=yes
AuditLogFile=/var/log/netxms/audit.log
Configure web console access logging:
# /etc/nginx/sites-available/netxms
access_log /var/log/nginx/netxms_access.log combined;
error_log /var/log/nginx/netxms_error.log warn;
Create NetXMS alerts for security events:
Configure in NetXMS Console:
- Alarm → Alarm Templates
- Create template for security events
- Set thresholds for failed logins
- Configure notifications for security team
Forward logs to SIEM:
# /etc/rsyslog.d/netxms.conf
:programname, isequal, "netxmsd" /var/log/netxms/syslog.log
:programname, isequal, "netxmsd" @siem.company.com:514