We’ve recently added a new protocol to our IPv4 data sets that lets you easily search for exposed Prometheus endpoints. Since these applications can lead to data loss if not properly secured, it’s important to find any that are still are the Internet that you and your team are no longer using so you’re not opening your organization up to unnecessary risk. We’ll walk you through how to find them in this article.
Prometheus is an open-source systems monitoring tool that allows users to track application anomalies and changes over time. Prometheus is used by people collecting data over time, for the purposes of reporting on trends, collecting metrics, tracking changes over time, etc.
Relying primarily on strong perimeter security rather than implementing sophisticated security tooling into the product, Prometheus can potentially put organizations at risk if those endpoints are unnecessarily exposed on the Internet. That said, in practical application, Prometheus assumes that untrusted users have access to the Prometheus HTTP endpoint and logs, which leads to many undesirable data exposures.
The security risk of exposed Prometheus databases
Prometheus endpoints and they’re associated databases can expose massive amounts of internal data, including sensitive business and operations information, which is perhaps most concerning for our readers. One of the biggest security risks is that any exposed, unprotected endpoints where you’re storing and sending data can be accessed by unauthorized people who can inject fraudulent data and/or fill up your disks with data, causing your Prometheus application to crash.
Find all Prometheus endpoints exposed on the Internet
We found around 8500 Prometheus endpoints (which run on port 9090) exposed on the Internet. Take a look at the search results to see a real-time view of all Prometheus endpoints.
We also created a version breakdown report, which provides an interesting view of the data
How to choose which services actually need to be connected to the Internet
Like any other component used within an organization, sound judgment and consideration is needed in the decision to expose it on the Internet.
- Is it necessary to connect this device/asset/host to the Internet?
- Do those benefits outweigh the potential risks of having a device exposed on the Internet?
- What security measures are necessary to ensure that the device, once connected to the Internet, isn’t unnecessarily exposed?
What to do If you find any exposed Prometheus endpoints that you or your organization own
It’s unlikely that you’ll find any endpoints in our search results that you own, but in the off-chance you do, determine if there’s any reason the device needs to be hosted online (see the questions above). We can’t think of any good reason for Prometheus endpoints to be exposed online and we’d suggest you take it offline and host it privately.
While you’re in the administrative panel, it’d also be a good idea to ensure that only those few people who need admin access have that level of power. Boot anyone who doesn’t need that full access and check to make sure you’ve removed any individuals who’ve left the company, moved teams, or otherwise don’t warrant access.
Since Prometheus itself doesn’t implement basic auth or TLS encryption, we recommend using Prometheus with a reverse proxy. Some helpful implementation instructions are available from the Prometheus website, namely their basic auth guide and TLS instruction guide.
Remember that you can use Censys to find all kinds of exposed devices and infrastructure. Check out some of our most recent additions to our data sets: Kubernetes, Microsoft Server Message Blocks (SMBs), and remote desktop applications, like pcAnywhere, remote desktop protocol (RDP), and virtual network computing VNC), for example.
For network defenders, our new SaaS offering takes the load off and will automatically discover Prometheus endpoints (and anything else) used within your organization. Sign up for a demo today! And, remember, if you’re looking for more tips like these on how to use Censys data to keep your business network secure, keep an eye on our blog and subscribe to our Twitter feed @censysio.