Do not open ports in the world - you will be broken (risks)

Again and again, after the audit, on my recommendations to hide the ports behind the white-list, I meet with a wall of misunderstanding. Even very cool admins / DevOps ask: "Why?!?"

I propose to consider the risks in descending order of probability of occurrence and damage.

1. Configuration error
2. DDoS over IP
3. Brutfors
4. Service Vulnerabilities
5. Kernel stack vulnerabilities
6. Strengthen DDoS attacks

Configuration error

The most typical and dangerous situation. As it happens. The developer needs to quickly test the hypothesis, he raises a temporary server with mysql / redis / mongodb / elastic. The password, of course, is complex, it uses it everywhere. It opens the service to the world - it is convenient for him to connect from his PC to the PC without these VPNs. And iptables syntax is too lazy to remember, anyway the server is temporary. A couple of days of development - it turned out great, you can show the customer. The customer likes it; there is no time to redo it;

An example is intentionally exaggerated in order to walk on all the rakes:

1. Nothing is more permanent than temporary - I do not like this phrase, but according to subjective feelings, 20-40% of such temporary servers remain for a long time.
2. A complex universal password that is used in many services is evil. Because one of the services where this password was used could have been cracked. One way or another, the bases of the hacked services flock to the one that is used for [brute force] *.
   It should be added that redis, mongodb and elastic after installation are generally available without authentication, and often replenish the collection of open databases .
3. It may seem that in a couple of days no one will scoop your 3306 port. It's a delusion! Masscan is an excellent scanner, and can scan at 10M ports per second. And on the Internet only 4 billion IPv4. Accordingly, all the 3306th ports on the Internet are in 7 minutes. Charles!!! Seven minutes!
   "But who cares?" - you will object. So I am surprised looking at the statistics of the dropped packets. From where in a day 40 thousand attempts of a scan from 3 thousand unique IP? Now they are crawling all and sundry, from Mommy hackers to governments. It is very simple to check - take any VPS for $ 3-5 from any ** low-cost airline, turn on drop-packet logging and check the log in a day.

DDoS over IP

If the attacker knows your IP, he can pause your server for several hours or days. Not all low-cost hostings have DDoS protection and your server will simply be disconnected from the network. If you hid the server behind the CDN, do not forget to change the IP, otherwise the hacker will google it and DDoS'it your server to bypass the CDN (a very popular error).

Service Vulnerabilities

In all popular software, sooner or later errors are found, even in the most tested and most critical ones. In the environment of IBeshnikov, there is such a half-joke - the security of the infrastructure can be safely assessed by the time of the last update. If your infrastructure is rich in ports protruding into the world, and you have not updated it for a year, then any security person will tell you, without looking, that you are full of holes, and most likely have already been hacked.
It is also worth mentioning that all known vulnerabilities were once unknown. Imagine a hacker who found such a vulnerability, and scanned the entire Internet in 7 minutes for its presence ... Here's a new virus epidemic) We need to be updated, but it can harm the product, you say. And you will be right if the packages are not installed from the official OS repositories. From experience, updates from the official repository rarely break the prod.

Brutfors

As described above, there is a base with half a billion passwords that are conveniently typed from the keyboard. In other words, if you have not generated a password, but typed nearby characters on the keyboard, be sure * - you will be knocked out.

Kernel stack vulnerabilities.

It happens **** and such that it doesn't even matter which service opens the port when the network's kernel stack itself is vulnerable. That is absolutely any tcp / udp-socket on a two-year-old system is vulnerable to vulnerabilities leading to DDoS.

Strengthen DDoS attacks

It will not bring damage directly, but it can clog your channel, increase the load on the system, your IP will fall into some black-list *****, and an abuzz from the hoster will arrive.

Do you really need all these risks? Add your home and work IP to the white-list. Even if it is dynamic - log in through the host admin admin, via the web console, and just add one more.

I have been engaged in building and protecting IT infrastructure for 15 years. I worked out a rule that I highly recommend to everyone - not a single port should stick in the world without a white-list .

For example, the most secure web server *** is the one with 80 and 443 open for CDN / WAF only. And the service ports (ssh, netdata, bacula, phpmyadmin) should be at least behind the white-list, and even better for the VPN. Otherwise, you risk being compromised.

That's all I wanted to say. Keep your ports closed!

• (1) UPD1 : Here you can check your cool universal password ( do not do this without replacing this password with random ones in all services ), did it not light up in the merged database. And here you can see how many services were hacked, where your email appeared, and, accordingly, find out if your cool universal password has been compromised.
• (2) To its credit, Amazon has a minimum of scans on LightSail. Apparently, somehow filtered.
• (3) An even more secure web server is one that is behind a dedicated firewall, its WAF, but this is public VPS / Dedicated.
• (4) Segmentsmak.
• (5) Firehol.