I'd like to use monitd for monitoring my webserver. I read it has built in http server. By default it is set to run on 2812 port. Is safe to open the port on firewall and view it via a browser?
2 Answers
monit by default runs as root and doesn't drop privileges for serving HTTP requests. It has its own custom code to serve HTTP. There have been at least two CVEs with XSS from unauthenticated users and CSRF vulnerabilities in monit in the past.
I wouldn't expose it to the public internet. Restrict access to specific IPs with a firewall or put it behind an HTTP reverse proxy like nginx or haproxy with IP restrictions or HTTP authentication. monit HTTP implementation has its own IP restrictions and HTTP authentication but I won't trust them.
It's not a great idea, but you certainly can.
An SSH tunnel may be a better idea. Or set your Monit up to send email alerts.
I've used Monit for 14 years and very rarely connect to the port 2812 interface.
