isle-dc listening on external interfaces

[rbos]

When I look at netstat on our ISLE servers, I see a lot of open ports:

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      87293/docker-proxy  
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      85725/docker-proxy  
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      85544/docker-proxy  
tcp        0      0 0.0.0.0:8082            0.0.0.0:*               LISTEN      85215/docker-proxy  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      19064/sshd          
tcp        0      0 0.0.0.0:8983            0.0.0.0:*               LISTEN      84633/docker-proxy  
tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      86191/docker-proxy  
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      1322/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      86947/docker-proxy  
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      84839/docker-proxy  
tcp        0      0 0.0.0.0:8161            0.0.0.0:*               LISTEN      85035/docker-proxy  
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      86615/docker-proxy  

Our campus Nessus server is pretty unhappy about this. The "EXPOSE_*" settings in .env don't appear to change this. I see things like

      # Don't do any of these in production
      - ${MYSQL_PORT:-3306}:3306   # mysql

in docker-compose.traefik.yml, but commenting out those lines doesn't change the listening ports either.

Is there a supported way to force these not to listen to the network? As I understand it, only 80/443 should really be exposed to the world, and everything else should happen between Docker containers.

[misilot]

You could possibly try changing the _PORT's to 127.0.0.1:portnumber

for example

MYSQL_PORT=127.0.0.1:3306

Also be sure to run make -B docker-compose.yml && make up afterwards to rebuild your docker-compose.yml file.

Also if you are changing the EXPOSE_ variables, in the .env file you need to rebuild your docker-compose file with the same command above.

[DonRichards]

I'm going to quote something I just found

"Exposed and Published container ports are two different but related concepts in Docker. Exposed ports are defined in your Dockerfile as simple metadata. You must publish them when your container starts if you want to enable outside access. Exposing a port doesn’t have any immediate effect though. The statement only communicates that the application inside the container listens on port 80. It does not bind the port to your host’s network interfaces." - What’s the Difference Between Exposing and Publishing a Docker Port?"

$ docker inspect --format="{{json .Config.ExposedPorts}}" traefik
{
  "3306/tcp": {},
  "443/tcp": {},
  "5432/tcp": {},
  "80/tcp": {},
  "8080/tcp": {},
  "8081/tcp": {},
  "8082/tcp": {},
  "8161/tcp": {},
  "8443/tcp": {},
  "8983/tcp": {}
}

From what I can see the ports are listening but not bonded to a network device and can't be accessed directly according to this article. Let me know if this helps.

[rbos]

I'm fairly sure that they are in fact listening on the external interface since our Nessus server is complaining about them being open, so I don't think that's it.

[misilot]

@rbos can you put your docker-compose.yml and .env file in a gist, and sanitize any private information.

[rbos]

Setting MYSQL_PORT to 127.0.0.1:3306 appears to work, actually, and as far as I can tell doesn't break functionality. I can netcat to localhost:3306 but not $HOSTNAME:3306. I'll continue down that line. Do you still want my config files?

[rbos]

I'm happy to consider this resolved. ISLE should maybe consider making this the default; it'll harden the installation against attacks somewhat, and people can expose ports (or better yet, use an SSH tunnel) if they want.

[misilot]

No, I think if that works that might be good.

This is what I see with the EXPOSE_MYSQL=false with nmap, where it's listening.

PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  open   https
3306/tcp open   mysql
5666/tcp open   nrpe
8000/tcp closed http-alt
8080/tcp open   http-proxy
8443/tcp open   https-alt

So what I think is happening is as the ports are being published to the traefik container, but traefik isn't actually connecting the port to the backend service, and eventually times out.

If I do enable EXPOSE_MYSQL=true though, I can connect from a remote system. Actually, I can't even connect from the host when EXPOSE_MYSQL=false is set.

[rbos]

Interesting. So security scanners see an open port and panic, even though it's not actually responding with a valid connection.

Well, at least this gets my metrics down. It makes me look bad to campus IT if their security scanner flags me, even if it's a false positive. :)