VPN for control plane traffic

CaveJohnson

Has a VPN for control plane services been considered? Eg a wireguard tunnel between two servers that ports for services like mysql are exposed to.

This would greatly increase the security of Enhance compared to having these ports exposed directly to the internet. A quick nmap scan of one of my servers shows a lot of exposed ports and services.

Whilst the services are secured, if there is a 0-day level exploit released, these services will be easily discoverable (ie shodan.io)

JohnB

CaveJohnson A VPN port could also suffer from a exploit.

Just use firewall rules to block access to all ports except web traffic and allow all to/from control server.

CaveJohnson

Yes, a VPN can also suffer from an exploit - however this greatly reduces the attack surface. Additionally its a defence in depth approach, you exploit the single VPN point that is exposed, you still need to compromise the services carried over it.

Its partly why service meshes are so popular on kubernetes now (eg cilium, calico etc)

Adam

We're adding an option to specify a separate IP for internal communications. This could be a private network or a VPN/tunnel of some kind.

All Enhance RPC services use mutual TLS, an exploit would be very difficult as it's not even possible to initiate a connection without a trusted client certificate.

xyzulu

Adam We're adding an option to specify a separate IP for internal communications

Not before control server replication I hope 😎

CaveJohnson

Adam Great to hear and good to know the mTLS is used.

My main concern at this point is the mysql port exposed over the internet,

xyzulu

CaveJohnson My main concern at this point is the mysql port exposed over the internet,

Block it like we do. You only need to open between your own servers (for website transfers) if you don't access MySQL remotely.

CaveJohnson

xyzulu I have currently blocked it - is there a reason that its exposed by default?

JohnB

CaveJohnson Very common in shared hosting. Since all the mysql users are restricted by IP its common to leave it open and trust that an up to date MySql instance doesn't have a vulnerability. This lets customers connect to their databaes without tunneling as well. They just create a user@IPAddress and can login.

I don't like this either and don't give customers this access, so I block the port. In the future when enhance handles the firewall as well I imagine they can block the port and if a customer creates a mysql user it adds an exception for that IP.

I would encourage you to adopt this approach: block ALL ports as your default firewall rule. Allow SSH port for specific IPs obviously. Then add port 80, 443 and any email or other ports you want open. Lastly allow all to/from enhance control server.

CaveJohnson

JohnB makes much more sense to me to have this disabled by default and enabled through an option toggle with warnings.

(My background is security so this kind of thing that catches my eye quite easily)

xyzulu

CaveJohnson more sense to me to have this disabled by default and enabled

I prefer to always mange this myself via a firewall above the server.

JohnB

CaveJohnson I don't disagree and the option you describe would be better. You could create a feature request.

But its not really a security issue if the server behind a firewall

cosmoshosting

Agree with the consensus, this is something that should managed with firewalls independent of Enhance.

Management ports should never be exposed to the internet, both at a external firewall and OS firewall level.
All traffic between the servers and controllers should be authenticated with a certificate and be encrypted already
Enhance needs some automatic warning and firewall policy to warn if ports are exposed to the open internet and have a default policy to whitelist through only those IP's within its cluster, block others.

As to MYSQL, this should never ever be exposed to the open internet on a a shared hosting server, if at ever. To big a risk. It should be whitelisted to static IP addresses on request and firewall rule tracked in either a spreadsheet or documentation.