cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nux (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CLOUDSTACK-5494) the dns resolver servers on the VRs are open to the world
Date Tue, 24 Jun 2014 13:52:24 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-5494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14042114#comment-14042114
] 

Nux edited comment on CLOUDSTACK-5494 at 6/24/14 1:51 PM:
----------------------------------------------------------

This is still causing problems (received the other day complains that my VR was used in a
DNS reflection attack). Here's a quick hack to "fix" it in ADV+SG zone (and likely in Basic
zone as well). Run this from VR's rc.local:
http://pastebin.com/raw.php?i=6C53WUg3

(moved the commands in pastebin as confluence messed them up)


was (Author: nuxro):
This is still causing problems (received the other day complains that my VR was used in a
DNS reflection attack). Here's a quick hack to "fix" it in ADV+SG zone (and likely in Basic
zone as well). Run this from VR's rc.local:

#  allow DNS queries only from our public ranges, we determine this by looking at the rule
for port 8080 access
for i in `iptables-save |grep 8080|awk '{print $4}'`; do iptables -I INPUT -s $i -p tcp -m
tcp --dport 53 -j ACCEPT; iptables -I INPUT -s $i -p udp -m udp --dport 53 -j ACCEPT; done
# remove the rule that accepts requests from everyone
iptables -D INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
iptables -D INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT



> the dns resolver servers on the VRs are open to the world
> ---------------------------------------------------------
>
>                 Key: CLOUDSTACK-5494
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5494
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>    Affects Versions: 4.2.0, 4.3.0
>            Reporter: Wei Zhou
>            Assignee: Jayapal Reddy
>            Priority: Critical
>              Labels: security
>             Fix For: Future
>
>
> Currently the port 53 (tcp and udp) on virtual routers are open, so everyone on the internet
can visit the dns service on virtual routers. This may cause overload and security issue.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message