Multiple services exposed over network
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Invalid
|
Medium
|
Stanislaw Bogatkin |
Bug Description
Observed on Fuel master:
release: "8.0"
openstack_
api: "1.0"
build_number: "264"
Problem description:
It was observed that multiple services are exposed over network making possible attack or unexpected interaction easy to trigger.
Note that Fuel allows to define 2 network interfaces, and if two interfaces configured, these services are exposed on both (all) network interfaces.
This should be avoided as there is no need to expose these services on networks other than admin/PXE.
[root@fuel ~]# netstat -anp | grep LISTEN | grep -v LISTENING
tcp 0 0 10.20.0.2:5672 0.0.0.0:* LISTEN 19523/beam
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 18667/python
tcp 0 0 0.0.0.0:8777 0.0.0.0:* LISTEN 9544/python
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 4973/rsync
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 11462/nginx: master
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 19511/epmd
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 16310/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1068/sshd
tcp 0 0 10.20.0.2:15672 0.0.0.0:* LISTEN 19523/beam
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 3544/postgres
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1540/master
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 11462/nginx: master
tcp 0 0 0.0.0.0:35357 0.0.0.0:* LISTEN 18667/python
tcp 0 0 0.0.0.0:41055 0.0.0.0:* LISTEN 19523/beam
tcp 0 0 127.0.0.1:25151 0.0.0.0:* LISTEN 11095/python2
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 11462/nginx: master
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN 8077/uwsgi
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 7480/rsyslogd
tcp6 0 0 :::873 :::* LISTEN 4973/rsync
tcp6 0 0 :::61613 :::* LISTEN 19523/beam
tcp6 0 0 :::80 :::* LISTEN 6768/httpd
tcp6 0 0 :::53 :::* LISTEN 16310/dnsmasq
tcp6 0 0 :::22 :::* LISTEN 1068/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1540/master
tcp6 0 0 :::443 :::* LISTEN 6768/httpd
tcp6 0 0 :::514 :::* LISTEN 7480/rsyslogd
Solution proposal:
Try to make these services to listen only on admin/PXE network.
The only services expected to listen on 0.0.0.0 (0:::) are nginx and sshd
Changed in fuel: | |
importance: | Undecided → Medium |
milestone: | none → 8.0 |
tags: | added: area-library |
Changed in fuel: | |
assignee: | nobody → Fuel Library Team (fuel-library) |
status: | New → Confirmed |
Changed in fuel: | |
assignee: | Fuel Library Team (fuel-library) → Stanislaw Bogatkin (sbogatkin) |
This should be cross checked against the iptables rules on the fuel master as I'm not sure this bug is 100% accurate. Additionally things like DNS, NTP, rsyslog must be available as well.