Mirantis OpenStack

SSH is accessible from external network

Bug #1526363 reported by Daniil Lapshin on 2015-12-15

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Won't Fix	Wishlist	Unassigned	Mirantis OpenStack 8.0
7.0.x	Won't Fix	Wishlist	Registry Administrators	Mirantis OpenStack 7.0-updates
8.0.x	Won't Fix	Wishlist	Registry Administrators	Mirantis OpenStack 8.0
9.x	Invalid	Wishlist	Daniil Lapshin	Mirantis OpenStack 9.0

Bug Description

In fuel 7.0, after deployment with defaults some ports are accessible from external network:

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
4369/tcp open epmd
8775/tcp open unknown
41055/tcp open unknown
49000/tcp open unknown
49001/tcp open unknown
55572/tcp open unknown

For administrative services like SSH it *may* be undesirable to be accessible from the external network (which is typically - the Internet).

See original description

Tags:

Revision history for this message

Roman Podoliaka (rpodolyaka) wrote on 2015-12-15:

Daniil, are you talking about the master node or slaves nodes?

Changed in mos:
assignee:	nobody → Daniil Lapshin (dlapshin)
status:	New → Incomplete

Revision history for this message

Daniil Lapshin (dlapshin) wrote on 2015-12-15:

Hi, Roman,

I'm talking about all controller nodes.

Changed in mos:
assignee:	Daniil Lapshin (dlapshin) → nobody

Roman Podoliaka (rpodolyaka) on 2016-01-18

tags:	added: area-linux
summary:	- Certain ports are accessible from external network + SSH is accessible from external network
information type:	Private Security → Public Security
Changed in mos:
status:	Confirmed → Won't Fix
description:	updated

Revision history for this message

Roman Podoliaka (rpodolyaka) wrote on 2016-01-18:

Daniil, I tweaked the description a bit:

1) it only makes sense for SSH, as other ports are expected to be exposed to the external network (e.g 80 - Horizon, 8775 - Nova, etc)

2) even for SSH I'd *not* call it a "security vulnerability" - it's perfectly fine for SSH to be exposed to the external network (it's the way you access your instances in public clouds, FWIW), though, I agree that *may* be unexpected and/or undesirable.

Still, as far as we have public key authentication set in place, I'm not sure this should be private and get importance more than Wishlist.

Changed in mos:
importance:	Medium → Wishlist

Revision history for this message

Daniil Lapshin (dlapshin) wrote on 2016-01-18:

Hi, Roman,

Horizon and other ports, that are expected to be exposed to external network, should be exposed via VIP address, not via controllers IPs (haproxy is used to balance requests to those services).

Revision history for this message

Alexey Deryugin (velovec) wrote on 2016-03-24:

Unable to reproduce on 9.0 #101 ISO

NMap result for controller:

PORT STATE SERVICE
80/tcp closed http
443/tcp closed https
6000/tcp closed X11
6001/tcp closed X11:1
6002/tcp closed X11:2
8000/tcp closed http-alt
8042/tcp closed fs-agent
8080/tcp closed http-proxy

Revision history for this message

Daniil Lapshin (dlapshin) wrote on 2016-03-31:

Hi, Roman, Alexey,

It's great that this issue couldn't be reproduced on 9.0, is there anything else that should be done from my side or we could somehow close it?

Curtis Hovey (sinzui) on 2017-04-13

Changed in mos:
assignee:	Registry Administrators (registry) → nobody

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.