Securing SNMP community strings

[candlerb]

snmp_exporter exposes a trivial way for anyone with network access to harvest SNMP (<v3) community strings:

http://<snmp_exporter>:9116/snmp?target=<my-ip-address>&module=<some-module>

will trigger it to send a packet containing the community string to your chosen IP address.

Thoughts:

1. Could make snmp_exporter default to listen on localhost only, rather than all interfaces. This would secure snmp_exporter in the common case where it runs on the same host as prometheus.

   Users would then have to make an explicit choice to open it up if they want to access it remotely, and at that point can consider things like iptables rules to restrict access.

2. Documentation could recommend that users leave it bound to localhost, and expose it via a reverse proxy which enforces HTTP Basic Auth (and ideally HTTPS to protect the Basic Auth secret)

   Prometheus core is already able to send statically-configured HTTP Basic Auth on scrape jobs.

   This approach is well-known, but involves the user installing a bunch of extra bits.

3. Could consider adding HTTP Basic Auth and/or HTTPS and/or client cert authentication to snmp_exporter itself; that adds complexity.

[brian-brazil]

This is already called out on our security page: https://prometheus.io/docs/operating/security/#exporters