Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding web env security group induces security flaw in single instance environments #5

Open
Mdelaf opened this issue Dec 30, 2020 · 1 comment
Open

Adding web env security group induces security flaw in single instance environments #5

Mdelaf opened this issue Dec 30, 2020 · 1 comment

Comments

@Mdelaf
Copy link

Mdelaf commented Dec 30, 2020
edited

Again, thanks for this great tool.

Environment settings:

  • Platform: Python 3.7 running on 64bit Amazon Linux 2/3.1.4
  • Web server: nginx (default in AL2)

Today I was checking my worker environment logs and in the nginx access logs I found some request that were made by external agents (not coming from sqs daemon process in localhost).

Show logs 
----------------------------------------
/var/log/nginx/access.log
----------------------------------------
58.97.229.90 - - [29/Dec/2020:23:57:20 +0000] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" "-"
127.0.0.1 - - [30/Dec/2020:00:15:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
127.0.0.1 - - [30/Dec/2020:00:30:05 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
139.162.119.197 - - [30/Dec/2020:00:34:18 +0000] "GET / HTTP/1.1" 302 0 "-" "HTTP Banner Detection (https://security.ipip.net)" "-"
127.0.0.1 - - [30/Dec/2020:00:45:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
91.199.118.137 - - [30/Dec/2020:01:08:25 +0000] "CONNECT cdn.jsdelivr.net:443 HTTP/1.1" 400 157 "-" "-" "-"
91.199.118.137 - - [30/Dec/2020:01:08:26 +0000] "CONNECT cdn.jsdelivr.net:443 HTTP/1.1" 400 157 "-" "-" "-"
127.0.0.1 - - [30/Dec/2020:01:15:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
127.0.0.1 - - [30/Dec/2020:01:45:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
188.166.64.74 - - [30/Dec/2020:01:59:15 +0000] "POST /boaform/admin/formLogin HTTP/1.1" 404 179 "http://35.166.105.105:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0" "-"
188.166.64.74 - - [30/Dec/2020:01:59:16 +0000] "" 400 0 "-" "-" "-"
127.0.0.1 - - [30/Dec/2020:02:15:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
92.126.230.58 - - [30/Dec/2020:02:42:24 +0000] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" "-"
127.0.0.1 - - [30/Dec/2020:02:45:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
127.0.0.1 - - [30/Dec/2020:03:15:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
127.0.0.1 - - [30/Dec/2020:03:45:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
85.99.129.150 - - [30/Dec/2020:04:11:51 +0000] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" "-"
127.0.0.1 - - [30/Dec/2020:04:15:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
127.0.0.1 - - [30/Dec/2020:04:45:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
209.17.96.66 - - [30/Dec/2020:04:45:25 +0000] "GET / HTTP/1.0" 302 0 "-" "Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http://cloudsystemnetworks.com)" "-"
83.97.20.31 - - [30/Dec/2020:04:53:35 +0000] "GET / HTTP/1.0" 302 0 "-" "-" "-"
83.97.20.31 - - [30/Dec/2020:04:53:37 +0000] "GET /admin/ HTTP/1.0" 302 0 "-" "-" "-"
83.97.20.31 - - [30/Dec/2020:04:53:40 +0000] "GET /admin/login/?next=/admin/ HTTP/1.0" 200 2194 "-" "-" "-"
167.248.133.40 - - [30/Dec/2020:05:14:27 +0000] "GET / HTTP/1.1" 302 0 "-" "-" "-"
167.248.133.40 - - [30/Dec/2020:05:14:28 +0000] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "-"
167.248.133.40 - - [30/Dec/2020:05:14:28 +0000] "GET /admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "-"
167.248.133.40 - - [30/Dec/2020:05:14:28 +0000] "GET /admin/login/ HTTP/1.1" 200 2181 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "-"
196.52.43.64 - - [30/Dec/2020:05:44:20 +0000] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3602.2 Safari/537.36" "-"
196.52.43.64 - - [30/Dec/2020:05:44:21 +0000] "GET /admin/ HTTP/1.1" 302 0 "http://35.166.105.105:80/" "Go http package" "-"
196.52.43.64 - - [30/Dec/2020:05:44:21 +0000] "GET /admin/login/?next=/admin/ HTTP/1.1" 200 2194 "http://35.166.105.105:80/admin/" "Go http package" "-"
185.239.242.162 - - [30/Dec/2020:06:12:24 +0000] "GET / HTTP/1.1" 302 0 "-" "Linux Gnu (cow)" "-"
134.122.7.61 - - [30/Dec/2020:06:40:35 +0000] "GET /config/getuser?index=0 HTTP/1.1" 404 179 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-"
167.99.164.114 - - [30/Dec/2020:07:18:20 +0000] "\x16\x03\x01\x01\xFD\x01\x00\x01\xF9\x03\x03\xB5\x1DUX.\x15\xF7L\xAC\x07\x5C\xA0|\x06J9\xBD\xF9&\xC6\xD9\xF9RL\xF7\xD0\x9Bk\xCF\x84O\xA0\x00\x01<\xCC\x14\xCC\x13\xCC\x15\xC00\xC0,\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-" "-"

After debugging I realized that this security problem is caused due to the security group I added to the worker environment (I made this on purpose to have access to the web env database - check this).

When you add a security group to an EC2 instance, the inbound rules that comes with it will be included as well. If your environment is a single instance environment (i.e. no load balancer involved) the security group of the web environment instance will contain the following inbound rule:
80 | TCP | 0.0.0.0/0

If you use that same security group for your worker, then everyone will be able to access it.

Note that in the case of a high availability environment (i.e. with load balancer), the inbound rule will limit traffic to the load balancer only, so in that scenario we won't have this security flaw.

I haven't tried this yet, but I think a better approach to the one described here is to edit the inbound rules of the RDS DB security group and add an entry for the worker instance security group. By doing that the database should accept connections from both environments and the worker should remain private always.
@DataGreed
Copy link
Owner

DataGreed commented Jan 3, 2021
edited

@Mdelaf I am really glad you found this project useful.

Sorry for taking this long to reply – it's hard to track track of everything on holidays :)

I actually never set up an environment without a load-balancer, so I did not realize that this kind of situation is even possible, thanks for pointing it out and suggesting a solution.

May I ask if you have succeed in updating the inbound rules to eliminate the security risk? If so, could you please write the steps to set those rules up for single-instance environment, so I could add them to the installation guide? I would really appreciate it. Alternatively, you could add them to readme and make a pull request – I'd be happy to merge it.

Happy Holidays and Happy New Year 🎄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DataGreed @Mdelaf