[GitHub] [cloudstack] GabrielBrascher commented on issue #3450: Port 8096 allows unauthenticated access from any IP.
GabrielBrascher commented on issue #3450: Port 8096 allows unauthenticated access from any IP. URL: https://github.com/apache/cloudstack/issues/3450#issuecomment-513060932 I opened PR #3504; the proposal is to change the default value of '_integration.api.port_' from 8096 to 0. Deployed a staging ACS with the PR and the Unauthenticated API access is disabled by default. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [cloudstack] GabrielBrascher commented on issue #3450: Port 8096 allows unauthenticated access from any IP.
GabrielBrascher commented on issue #3450: Port 8096 allows unauthenticated access from any IP. URL: https://github.com/apache/cloudstack/issues/3450#issuecomment-510912581 @rhtyd I used the command `cloudstack-setup-databases`. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [cloudstack] GabrielBrascher commented on issue #3450: Port 8096 allows unauthenticated access from any IP.
GabrielBrascher commented on issue #3450: Port 8096 allows unauthenticated access from any IP. URL: https://github.com/apache/cloudstack/issues/3450#issuecomment-510688691 Checked and rechecked. Port 8096 is definitely enabled by default (tested with Ubuntu). 1. Deploy a fresh Apache CloudStack, based on 4.12 2. Assert that CloudStack indeed provides CloudStack API Unauthenticated Access through port 8096 3. Assert that the global configuration `integration.api.port` is set by default as 8096 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [cloudstack] GabrielBrascher commented on issue #3450: Port 8096 allows unauthenticated access from any IP.
GabrielBrascher commented on issue #3450: Port 8096 allows unauthenticated access from any IP. URL: https://github.com/apache/cloudstack/issues/3450#issuecomment-507733006 I agree with you both @rhtyd @onitake. Considering the risks involved, I see some quick and easy ways to mitigate some security issues: (i) improve documentation, and (ii) add warning logs when the port is enabled stating the risks; thus, only those who need the port to be open will leave it. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [cloudstack] GabrielBrascher commented on issue #3450: Port 8096 allows unauthenticated access from any IP.
GabrielBrascher commented on issue #3450: Port 8096 allows unauthenticated access from any IP. URL: https://github.com/apache/cloudstack/issues/3450#issuecomment-507714026 @onitake I agree, I have seen some gray lines on this implementation as well. However, it is possible to disable it by setting it as 0 (_zero_). I tested it myself prior to closing this issue. The fact that it was configured by default with 8096 concerns me (acs deployed via deb packages on ubuntu). @onitake we might need to take a closer look on the documentations and eventually update it. @rhtyd @PaulAngus @andrijapanic @borisstoyanov is this port really needed to stay open for testing purposes or we could leave it bound with 127.0.0.1, performing such tests inside the ACS management node? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [cloudstack] GabrielBrascher commented on issue #3450: Port 8096 allows unauthenticated access from any IP.
GabrielBrascher commented on issue #3450: Port 8096 allows unauthenticated access from any IP. URL: https://github.com/apache/cloudstack/issues/3450#issuecomment-507682112 Closing this issue. However, I think that port 8096 is not disabled by default, at least on ACS environments deployed via deb packages. Thanks for the feedback, @rhtyd. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services