Again and again, after the audit, on my recommendations to hide the ports behind the white-list, I meet with a wall of misunderstanding. Even very cool admins / DevOps ask: βWhy?!?β
I propose to consider the risks in descending order of the likelihood of occurrence and damage.
- Configuration error
- DDoS over IP
- Brute Force Attack
- Service Vulnerabilities
- Kernel stack vulnerabilities
- Strengthening DDoS attacks
Configuration error
The most typical and dangerous situation. How it happens. The developer needs to quickly test the hypothesis, he raises a temporary server from mysql/redis/mongodb/elastic. The password, of course, is complex, he uses it everywhere. It opens the service to the world - it is convenient for him to connect from his PC without these VPNs of yours. And the iptables syntax is too lazy to remember, anyway the server is temporary. A couple more days of development - it turned out great, you can show it to the customer. The customer likes it, there is no time to redo it, we launch it in PROD!
An example deliberately exaggerated in order to go through all the rake:
- There is nothing more permanent than temporary - I do not like this phrase, but according to subjective feelings, 20-40% of such temporary servers remain for a long time.
- The complex universal password that is used in many services is evil. Because one of the services where this password was used could have been hacked. One way or another, the bases of hacked services flock to one, which is used for [brute force]*.
It is worth adding that redis, mongodb and elastic after installation are generally available without authentication, and often replenish . - It may seem that in a couple of days no one will scan your 3306 port. It's a delusion! Masscan is an excellent scanner and can scan at 10M ports per second. And there are only 4 billion IPv4s on the Internet. Accordingly, all 3306th ports on the Internet are within 7 minutes. Charles!!! Seven minutes!
"Yes, who needs it?" - you object. So I'm surprised, looking at the statistics of dropped packages. Why 40 thousand scan attempts per day from 3 thousand unique IPs? Now everyone is scanning, from mother's hackers to governments. It is very easy to check - take any VPS for $3-5 from any ** low-cost carrier, enable logging of dropped packages and look at the log in a day.
Enable logging
In /etc/iptables/rules.v4 add to the end:
-A INPUT -j LOG --log-prefix "[FW - ALL]" --log-level 4
And in /etc/rsyslog.d/10-iptables.conf
:msg,contains,"[FW - "/var/log/iptables.log
& stop
DDoS over IP
If an attacker knows your IP, he can zaddos your server for several hours or days. Not all low-cost hostings have DDoS protection and your server will simply be disconnected from the network. If you hide the server behind a CDN, don't forget to change the IP, otherwise a hacker will google it and DDoS your server bypassing the CDN (a very common mistake).
Service Vulnerabilities
In all popular software, bugs are found sooner or later, even in the most tested and most critical ones. There is such a semi-joke among the IS specialists - the security of the infrastructure can be safely assessed by the time of the last update. If your infrastructure is rich in ports sticking out into the world, and you havenβt updated it for a year, then any security officer will tell you without looking that you are full of holes, and most likely already hacked.
It is also worth mentioning that all known vulnerabilities were once unknown. Just imagine a hacker who found such a vulnerability and scanned the entire Internet in 7 minutes for its presence ... Here is a new virus epidemic) We need to update, but this can harm the product, you say. And you will be right if the packages are not installed from the official OS repositories. From experience, updates from the official repository rarely break prod.
Brute Force Attack
As described above, there is a base with half a billion passwords that are convenient to type from the keyboard. In other words, if you didnβt generate a password, but typed nearby symbols on the keyboard, be sure * you will be brute.
Kernel stack vulnerabilities.
**** It also happens that it doesnβt even matter which service opens the port, when the kernel network stack itself is vulnerable. That is, absolutely any tcp / udp socket on a two-year-old system is subject to a vulnerability leading to DDoS.
Strengthening DDoS attacks
It will not cause direct damage, but it can clog your channel, increase the load on the system, your IP will fall into some kind of black-list*****, and you will receive an abuse from the hoster.
Do you really need all these risks? Add your home and work IP to the white-list. Even if it is dynamic - log in through the hoster's admin panel, through the web console, and just add another one.
I have been building and protecting IT infrastructure for 15 years. I developed a rule that I strongly recommend to everyone - no port should stick out in the world without a white-list.
For example, the most secure web server*** is the one with 80 and 443 open only for CDN/WAF. And service ports (ssh, netdata, bacula, phpmyadmin) should be at least behind the white-list, and even better behind the VPN. Otherwise, you risk being compromised.
That's all I wanted to say. Keep your ports closed!
- (1) UPD1: you can check your cool universal password (do not do this without replacing this password with random ones in all services), whether it lit up in the merged base. you can see how many services were hacked, where your email appeared, and, accordingly, find out if your cool universal password was compromised.
- (2) To Amazon's credit, LightSail has a minimum of scans. Looks like it's being filtered somehow.
- (3) An even more secure web server is the one behind a dedicated firewall, its own WAF, but we are talking about public VPS / Dedicated.
- (4) Segmentsmak.
- (5) Firehol.
Only registered users can participate in the survey. , you are welcome.
Do your ports stick out?
-
Always
-
Sometimes
-
Never
-
I don't know, lol
54 users voted. 6 users abstained.
Source: habr.com