Do not open ports to the world - they will break you (risks)
Again and again, after the audit, on my recommendations to hide the ports behind the white-list I meet with a wall of misunderstanding. Even very cool admins / DevOps'es ask: "Why?!?"
I propose to consider the risks in decreasing order of probability of occurrence and damage.
- Configuration error
- DDoS over IP
- Service Vulnerabilities
- Kernel Stack Vulnerabilities
- Strengthening DDoS attacks
The most typical and dangerous situation. How does it happen. The developer needs to quickly test the hypothesis, he raises a temporary server with mysql / redis / mongodb / elastic. The password, of course, is complicated, it uses it everywhere. It opens the service to the world - it is convenient for him to connect from your PC without these of your VPNs. And the iptables syntax is too lazy to recall, anyway the server is temporary. Just a couple of days of development - it turned out fine, you can show it to the customer. The customer likes it, there is no time to redo it, we launch it in the PROD!
Example deliberately exaggerated in order to walk on all the rakes:
- Nothing is more permanent than temporary - I do not like this phrase, but subjectively, 20-40% of such temporary servers remain for a long time.
- The complex universal password that is used in many services is evil. Because, one of the services where this password was used could be hacked. One way or another, databases of hacked services flock to one that is used for [brute force] *.
It is worth adding that redis, mongodb and elastic after installation are generally available without authentication, and often replenish the collection of open databases .
- It may seem that in a couple of days no one will scan your 3306 port. It's a delusion! Masscan is an excellent scanner, and can scan at 10M ports per second. And on the Internet there are only 4 billion IPv4. Accordingly, all 3306th ports on the Internet are in 7 minutes. Charles!!! Seven minutes!
"Who cares?" - you object. So I am surprised looking at the statistics of dropped packages. Where does a day from 40 thousand attempts to scan from 3 thousand unique IP? Now everyone will be scanned for anyone, from mother's hackers to governments. Checking is very simple - take any VPS for $ 3-5 from any ** low-cost airline, enable logging of dropped packages and look at the log in a day.
In /etc/iptables/rules.v4 add at the end:
-A INPUT -j LOG --log-prefix "[FW - ALL]" --log-level 4
And in /etc/rsyslog.d/10-iptables.conf
: msg, contains, "[FW -" /var/log/iptables.log
DDoS over IP
If an attacker knows your IP, he can strangle your server for several hours or days. Not all low-cost hostings have DDoS protection and your server will simply be disconnected from the network. If you hid the server behind a CDN, do not forget to change the IP, otherwise the hacker will google it and DDoS your server bypassing the CDN (a very popular error).
Sooner or later, errors are found in all popular software, even in the most tested and most critical ones. Among the IS engineers, there is such a half-joke - the security of the infrastructure can be easily assessed by the time of the last update. If your infrastructure is rich in ports sticking out into the world, and you have not updated it for a year, then any security guard will not tell you that you are full of holes, and most likely have already been hacked.
It is also worth mentioning that all known vulnerabilities were once unknown. Just imagine a hacker who found such a vulnerability and scanned the entire Internet in 7 minutes for its presence ... Here’s a new virus outbreak) It needs to be updated, but it can harm the product, you say. And you will be right if the packages are not installed from the official OS repositories. From experience, updates from the official repository rarely break the prod.
As described above, there is a database with half a billion passwords that are convenient to type from the keyboard. In other words, if you did not generate a password, but typed nearby characters on the keyboard, be sure * - they will remove you.
Vulnerabilities of the kernel stack.
It happens **** that it doesn’t even matter which service opens the port when the network kernel stack itself is vulnerable. That is, absolutely any tcp / udp socket on a system two years ago is vulnerable to a DDoS vulnerability.
Strengthening DDoS Attacks
It will not directly bring damage, but it can clog your channel, increase the load on the system, your IP will go to some black-list *****, and you will get an abuse from the host.
Do you really need all these risks? Add your home and work IP to the white-list. Even if it is dynamic, log in through the host admin panel, through the web console, and just add another one.
I’ve been building and protecting IT infrastructure for 15 years. I have developed a rule that I highly recommend to everyone - no port should stick out into the world without a white-list .
For example, the most secure web server *** is the one with 80 and 443 open for CDN / WAF only. And service ports (ssh, netdata, bacula, phpmyadmin) should be at least behind the white-list, and even better for VPN. Otherwise, you risk being compromised.
That's all. Keep your ports closed!
- (1) UPD1 : Here you can check your cool universal password ( do not do this without replacing this password with random ones in all services ), if it has appeared in the merged database. And here you can see how many services were hacked, where your email was featured, and, accordingly, find out if your cool universal password has been compromised.
- (2) To Amazon's credit, there are at least scans on LightSail. Apparently, somehow filtered.
- (3) An even more secure web server is the one behind the dedicated firewall, its WAF, but we are talking about public VPS / Dedicated.
- (4) Segmentsmak.
- (5) Firehol.
Only registered users can participate in the survey. Please come in.
Do your ports stick out?
- 22% Always 88
- 46.3% Sometimes 185
- 19% Never 76
- 12.5% I don't know, 50