Back to Home

Zabbix 3.0: Encryption / Zabbix Blog

zabbix · monitoring · encryption

Zabbix 3.0: Encryption

    We continue to review the new features of 3.0, we have already managed to review the capabilities of the new version, separately highlighted the possibility of predicting problems based on collected statistics, and today we will talk about encryption.
    Encryption was one of the oldest and most anticipated innovations in Zabbix, and during this time we managed to discuss several options for its implementation: from PSK pre-key authentication to full support for TLS and Kerberos. A year ago, it was decided to stay on TLS.



    And now in Zabbix 3.0 all components, such as server, agent and proxies, can be configured to use encryption, or can continue to communicate openly, as before. All this makes it possible to use Zabbix in those systems where encryption between nodes is a prerequisite. In addition, support for secure connections has been added for command-line utilities such as zabbix_sender and zabbix_get.

    Technical details


    Zabbix can use one of the following libraries for encryption: OpenSSL , GnuTLS, or mbedTLS (PolarSSL). This decision was first made in order to always be able to change the library if a critical vulnerability is found in the one used, the type of license changes, or development and support ends. Another advantage is Zabbix's neutrality to any of the listed sets.

    TLS is supported in version 1.2 - previous versions of the SSL / TLS protocol contained vulnerabilities, so we considered using them a bad idea.

    In addition to hiding transmitted messages from strangers, authentication is also implemented. Now it is possible to get answers to the questions “Can I trust a data source” or “Do we send a file with a list of passwords to our server”. The following options are available for authentication: use of a certificate (for those who have a public key infrastructure or high security requirements) or a PSK key (for small installations).

    You will not need to open any new ports - only standard Zabbix TCP / 10050-10051 are still used.
    If the user is not interested in encryption, then you can continue to use Zabbix as before. At the same time, the updated Zabbix components will support a new feature, so you can start setting up secure connections at any time convenient for you.

    It is also important to note that we added several new fields in the Zabbix database tables, in order to store additional settings, made it possible to change them via the web (logically the same) or API, and also added new parameters in the configuration files.
    An example of encryption settings is shown in the following screenshot.



    Two parameters determine how the server or proxy connects to the agent (for passive checks, “Connections to host”) and a separate parameter that determines what types of connections are allowed from the agent (active checks and zabbix_sender, “Connections from host”). “Connections from host” is also used to restrict connections to the server from those who acquired a stolen certificate or found out the PSK.

    On the part of the agents and utilities zabbix_get, zabbix_sender, encryption is configured using the new configuration file parameters or command line arguments.

    At the time of testing, it is possible to allow several types of connections at once (i.e., open and secure), then configure encryption and authentication based on a certificate or PSK, make sure that everything works, and, finally, prohibit unencrypted connections.

    Subsequent Improvements


    At the same time, of course, there is still work to do, for example:
    • At the moment, reusing TLS sessions through caching is not supported, so now every connection initializes the connection from scratch, which is naturally slower.
    • Add encryption support for Zabbix Java gateway.
    • Now only support for X.509 certificates with RSA keys is implemented. ECDSA certificate support should help improve performance.
    • Revoked certificates can only be verified through CRL files; online publisher verification is currently not implemented.


    Support for encryption and mutual authentication in Zabbix enables users to gradually and selectively improve the security of monitoring system components. We suggest that you try this and other innovations yourself . The full specification for encryption can be found in the documentation , well, also read about other innovations in Zabbix on Habr, if you suddenly missed it.

    Translation of an article from our blog.

    Read Next