-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure defaults from the setup instructions #90
Comments
Agreed. Can we collect some suggestions / thoughts?
Thoughts? |
Hi Nathan, Glad that this resonates. My suggestions are in the original issue:
I also think your idea about adding IP tables rules to prevent access to all of the above sounds good in principle. In practice Docker interferes with iptables and makes it impractical to achieve that result. |
Example of inlets with HTTPS provided by Caddy, Caddy has an open usage license now can also decorate endpoints with basic auth as required for things like Kibana. https://blog.alexellis.io/https-inlets-local-endpoints/ |
First step is to add a warning on the website explaining that this is an insecure example while we're investigating an actual fix. |
@gianarb I saw you closed the other script relating to ports. I think this one needs addressing rather than closing. Hopefully I can pre-empt you there. |
This issue is ALWAYS in my mind! Yep we started something here #232 . I think the same concept I tried to describe there applies here, but who knows, Kibana is not even part of the stack anymore. |
After following the setup instructions, all services appear to be directly exposed on the Internet which is never a good idea, Kibana for instance has no authentication or TLS configured.
Please consider removing this default in favour of accessing the dashboards via SSH tunnels or by using inlets.
Do the nodes even need a public IP? I hear that Packet now supports nodes with no public IPs, perhaps the terraform could provision a tiny Type0 to run Nginx as a reverse proxy with auth?
These are the ports that are open:
I do not consider this to be a security advisory that needs to be handled via backchannels or email, this is probably just an oversight. If the team feel otherwise I can remove the issue.
The text was updated successfully, but these errors were encountered: