前言 前两天公司漏洞通报prometheus未设置鉴权,漏洞详情如下图所示。
操作前须知
Prometheus于2.24版本(包括2.24)之后提供Basic Auth功能进行加密访问,在浏览器登录UI的时候需要输入用户密码,访问Prometheus api的时候也需要加上用户密码
1、 安装依赖
yum -y install epel-release python3 python3-bcrypt
2、通过python脚本生产密码
[root@localhost home]# cat python_passwd.py
import getpass
import bcrypt
password = getpass.getpass("password: ")
hashed_password = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
print(hashed_password.decode())
3、运行python脚本生成密码
[root@localhost home]# python3 ./python_passwd.py
password: **交互输入密码**
4、prometheus配置文件
[root@localhost prometheus-2.24.0.linux-amd64]# pwd
/home/prometheus-2.24.0.linux-amd64
[root@localhost prometheus-2.24.0.linux-amd64]# cat webconfig.yml
basic_auth_users:
admin: $2b$12$ic7SmeIcedgf8whWBhsiIugN7m4ZXCm5Om73mMShJ..Yc1lFmzIcq
**#admin是账号:后面是密码 明文是:NGM1YTM^3YzUxZDdlM**
[root@localhost prometheus-2.24.0.linux-amd64]# cat prometheus.yml | egrep -v '^#|^$'
global:
scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
# scrape_timeout is set to the global default (10s).
alerting:
alertmanagers:
- static_configs:
- targets:
# - alertmanager:9093
rule_files:
# - "first_rules.yml"
# - "second_rules.yml"
scrape_configs:
# The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
- job_name: 'localhost'
static_configs:
- targets: ['localhost:9100']
5、检测webconfig.yml是否可用
[root@localhost prometheus-2.24.0.linux-amd64]# ./promtool check web-config webconfig.yml
webconfig.yml SUCCESS
6、启动 prometheus
nohup ./prometheus --web.config.file=web.yml &
7、访问链接提示输入账号密码
http://ip:9090
8、服务正常
1882
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
