It seems to me that zabbix is accepting any data from any agent without any checking on the source of the data. Here is a scénario:
- zabbix is used to monitor host on the internet therefor is listening on public unfirewalled ip
- someone find the server and flood false data with zabbix_sender spoofing the hostname of the node
result: your monitoring is reporting false data (your host is down but the bad/missconfigured setting send you active data to make it appear up on your zabbix server)
Would it be handy to have a shared secret we could give to the agent and set in the zabbix node configuration (like a macro). This way each agent providing data should have the shared secret to be accepted by zabbix. Could be a simple hexa string or piece of text.
With ability to have a shared secret set in a macro we could setup a trust mecanism for the whole zabbix server and change the secret by group or host etc..
This would make it more secure and very easy to create a security policy to suit your need. This can also be created with ssl and certs but the simple shared secret mecanism should be easier to implement and require much less changes to the whole code.