Big environments sometimes can be a big pain to manage, especially when management is performed by hand. To save mental health and make life easier when investigating cases like two or more active agents with the same name simultaneously sending data to Zabbix server, I propose implementing an IP based authentication. It definitely isn't a security feature, but rather an additional handy restriction to remain in control.
This approach is applicable when host connectivity is configured using ip address, not domain name. IP authentication should be optional. When enabled, all direct connections (proxy-server connections must not be affected) from active agents are to be compared against ip address specified in host configuration/agent inteface. In case of mismatched addresses connection should be gracefully rejected.
Similar approach should also be implemented to protect trapper items. I'm aware of "Allowed hosts" field existence in trapper item configuration, but it doesn't really work when trapper items are templated due to
ZBXNEXT-354. When "Allowed hosts" is empty, all trapper item incoming data should be authenticated the same way as suggested above. To override this default behaviour, user should be able to fill "Allowed hosts" field with required data manually.
Examples of connection rejects in server/agent log:
Failed attempt to request active checks list:
> 2138:20121025:110008.943 Sending list of active checks to [192.168.0.212] failed: host [TESTHOST] ip mismatch: expected 192.168.0.221, got 192.168.0.212
Failed attempt to send data:
2138:20121025:110008.943 Process data failed: host [TESTHOST] ip mismatch: expected: 192.168.0.221, got 192.168.0.212
I'm attaching a basic proof-of-concept-patch for 1.8.14. It unconditionally checks for matching ip addresses in host configuration-remote client pair, and rejects disallowed connections for active agent items and trappers.