Best practices for secure Zabbix setup

Overview

This section contains best practices that should be observed in order to set up Zabbix in a secure way.

The practices contained here are not required for the functioning of Zabbix. They are recommended for better security of the system.

Principle of least privilege

The principle of least privilege should be used at all times for Zabbix. This principle means that user accounts (in Zabbix frontend) or process user (for Zabbix server/proxy or agent) have only those privileges that are essential to perform intended functions. In other words, user accounts at all times should run with as few privileges as possible.

Giving extra permissions to ‘zabbix’ user will allow it to access configuration files and execute operations that can compromise the overall security of infrastructure.

When implementing the least privilege principle for user accounts, Zabbix frontend user types should be taken into account. It is important to understand that while a “Admin” user type has less privileges than “Super Admin” user type, it has administrative permissions that allow managing configuration and execute custom scripts.

Some information is available even for non-privileged users. For example, while AdministrationScripts is not available for non-Super Admins, scripts themselves are available for retrieval by using Zabbix API. Limiting script permissions and not adding sensitive information (like access credentials, etc) should be used to avoid exposure of sensitive information available in global scripts.

Secure user for Zabbix agent

In the default configuration, Zabbix server and Zabbix agent processes share one ‘zabbix’ user. If you wish to make sure that the agent cannot access sensitive details in server configuration (e.g. database login information), the agent should be run as a different user:

  1. Create a secure user

  2. Specify this user in the agent configuration file (‘User’ parameter)

  3. Restart the agent with administrator privileges. Privileges will be dropped to the specified user.

UTF-8 encoding

UTF-8 is the only encoding supported by Zabbix. It is known to work without any security flaws. Users should be aware that there are known security issues if using some of the other encodings.

Setting up SSL for Zabbix frontend

On RHEL/Centos, install mod_ssl package:

  1. yum install mod_ssl

Create directory for SSL keys:

  1. mkdir -p /etc/httpd/ssl/private
  2. chmod 700 /etc/httpd/ssl/private

Create SSL certificate:

  1. openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl/private/apache-selfsigned.key -out /etc/httpd/ssl/apache-selfsigned.crt

Fill out the prompts appropriately. The most important line is the one that requests the Common Name. You need to enter the domain name that you want to be associated with your server. You can enter the public IP address instead if you do not have a domain name. We will use example.com in this article.

  1. Country Name (2 letter code) [XX]:
  2. State or Province Name (full name) []:
  3. Locality Name (eg, city) [Default City]:
  4. Organization Name (eg, company) [Default Company Ltd]:
  5. Organizational Unit Name (eg, section) []:
  6. Common Name (eg, your name or your server's hostname) []:example.com
  7. Email Address []:

Edit Apache SSL configuration:

  1. /etc/httpd/conf.d/ssl.conf
  1. DocumentRoot "/usr/share/zabbix"
  2. ServerName example.com:443
  3. SSLCertificateFile /etc/httpd/ssl/apache-selfsigned.crt
  4. SSLCertificateKeyFile /etc/httpd/ssl/private/apache-selfsigned.key

Restart the Apache service to apply the changes:

  1. systemctl restart httpd.service

Enabling Zabbix on root directory of URL

Add a virtual host to Apache configuration and set permanent redirect for document root to Zabbix SSL URL. Do not forget to replace example.com with the actual name of the server.

  1. /etc/httpd/conf/httpd.conf
  1. #Add lines
  2. <VirtualHost *:*>
  3. ServerName example.com
  4. Redirect permanent / http://example.com
  5. </VirtualHost>

Restart the Apache service to apply the changes:

  1. systemctl restart httpd.service

Enabling HTTP Strict Transport Security (HSTS) on the web server

To protect Zabbix frontend against protocol downgrade attacks, we recommend to enable HSTS policy on the web server.

For example, to enable HSTS policy for your Zabbix frontend in Apache configuration, open

  1. /etc/httpd/conf/httpd.conf

and add the following directive to your virtual host’s configuration:

  1. <VirtualHost *:443>
  2. Header set Strict-Transport-Security "max-age=31536000"
  3. </VirtualHost>

Restart the Apache service to apply the changes:

  1. systemctl restart httpd.service

Enabling Content Security Policy (CSP) on the web server

To protect Zabbix frontend against Cross Site Scripting (XSS), data injection, and some other attacks of a similar type, we recommend enabling Content Security Policy on the web server. To do so, you need to configure the web server to return the Content-Security-Policy HTTP header.

To enable CSP for your Zabbix frontend in Apache configuration, edit:

  1. /etc/httpd/conf/httpd.conf

For example, if it is planned that all content will come from the site’s origin (excluding subdomains), you can add the following directive to your virtual host’s configuration:

  1. <VirtualHost *:*>
  2. Header set Content-Security-Policy "default-src 'self';"
  3. </VirtualHost>

Restart the Apache service to apply the changes:

  1. systemctl restart httpd.service

Disabling web server information exposure

It is recommended to disable all web server signatures as part of the web server hardening process. The web server is exposing software signature by default:

Best practices for secure Zabbix setup - 图1

The signature can be disabled by adding two lines to the Apache (used as an example) configuration file:

  1. ServerSignature Off
  2. ServerTokens Prod

PHP signature (X-Powered-By HTTP header) can be disabled by changing the php.ini configuration file (signature is disabled by default):

  1. expose_php = Off

Web server restart is required for configuration file changes to be applied.

Additional security level can be achieved by using the mod_security (package libapache2-mod-security2) with Apache. mod_security allows to remove server signature instead of only removing version from server signature. Signature can be altered to any value by changing “SecServerSignature” to any desired value after installing mod_security.

Please refer to documentation of your web server to find help on how to remove/change software signatures.

Disabling default web server error pages

It is recommended to disable default error pages to avoid information exposure. Web server is using built-in error pages by default:

Best practices for secure Zabbix setup - 图2

Default error pages should be replaced/removed as part of the web server hardening process. The “ErrorDocument” directive can be used to define a custom error page/text for Apache web server (used as an example).

Please refer to documentation of your web server to find help on how to replace/remove default error pages.

Removing web server test page

It is recommended to remove the web server test page to avoid information exposure. By default, web server webroot contains a test page called index.html (Apache2 on Ubuntu is used as an example):

Best practices for secure Zabbix setup - 图3

The test page should be removed or should be made unavailable as part of the web server hardening process.

Zabbix settings

By default, Zabbix is configured with X-Frame-Options HTTP response header set to SAMEORIGIN, meaning that content can only be loaded in a frame that has the same origin as the page itself.

Zabbix frontend elements that pull content from external URLs (namely, the URL dashboard widget/screen element) display retrieved content in a sandbox with all sandboxing restrictions enabled.

These settings enhance the security of the Zabbix frontend and provide protection against XSS and clickjacking attacks. Super Admins can modify iframe sandboxing and X-Frame-Options HTTP response header parameters as needed. Please carefully weigh the risks and benefits before changing default settings. Turning sandboxing or X-Frame-Options off completely is not recommended.

Zabbix Windows agent with OpenSSL

Zabbix Windows agent compiled with OpenSSL will try to reach the SSL configuration file in c:\openssl-64bit. The “openssl-64bit” directory on disk C: can be created by non-privileged users.

So for security hardening, it is required to create this directory manually and revoke write access from non-admin users.

Please note that the directory names will be different on 32-bit and 64-bit versions of Windows.