-
-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redis: listen on localhost by default #100192
Comments
Evindence that pretty much all other DB servers listen to memcachednixpkgs/nixos/modules/services/databases/memcached.nix Lines 28 to 31 in 7badbf1
postgresqlnixpkgs/nixos/modules/services/databases/postgresql.nix Lines 184 to 192 in 7badbf1
neo4jnixpkgs/nixos/modules/services/databases/neo4j.nix Lines 154 to 156 in 7badbf1
couchdbnixpkgs/nixos/modules/services/databases/couchdb.nix Lines 108 to 110 in 7badbf1
mongodbnixpkgs/nixos/modules/services/databases/mongodb.nix Lines 48 to 51 in 7badbf1
influxdb
cassandra
cockroachdbnixpkgs/nixos/modules/services/databases/cockroachdb.nix Lines 36 to 41 in 7badbf1
|
Fix in PR #100195. |
All other database servers in NixOS also use this safe-by-default setting.
In general, NixOS services are configured such that by default they are not exposed to the Internet for security, see NixOS#100192.
In general, NixOS services are configured such that by default they are not exposed to the Internet for security, see #100192.
The setting QEMU_NET_OPTS="hostfwd=tcp::2222-:22" caused the VM's port 2222 to be advertised on the host as `0.0.0.0:2222`, thus anybody in the local network of the host could SSH into the VM. Instead, port-forward to localhost only. Use `127.0.0.1` also on the VM side, otherwise connections to services that, in the VM, bind to `127.0.0.1` only (doing the safe approach) do not work. See e.g. NixOS#100192 for more info why localhost listening is the best default.
The setting QEMU_NET_OPTS="hostfwd=tcp::2222-:22" caused the VM's port 2222 to be advertised on the host as `0.0.0.0:2222`, thus anybody in the local network of the host could SSH into the VM. Instead, port-forward to localhost only. Use `127.0.0.1` also on the VM side, otherwise connections to services that, in the VM, bind to `127.0.0.1` only (doing the safe approach) do not work. See e.g. #100192 for more info why localhost listening is the best default.
The redis service module listens on all interfaces by default (I found it via simple-nixos-mailserver which inherits nixpkgs' default):
nixpkgs/nixos/modules/services/databases/redis.nix
Lines 88 to 93 in 10acf9a
I think that is bad, because that is an insecure configuration. Because many people get owned by that, Redis has a protection against it; without further configuration, connecting to the listening port via TCP, it outputs:
But it's still listening on the port.
This has been that way for 7 yeas since the module was added in 6b4d76c by @zefhemel.
I think many NixOS modules that define services which are usually used unauthenticated by now make them only listen to
127.0.0.1
by default.So I think we should do that with the
redis
module as well.CC recent service module committers @Mic92 @JJJollyjim @flokli @peti @bjornfor @polynomial @offlinehacker
CC
simple-nixos-mailserver
contributors @r-raymond @phdoerfler @nlewo @eqyielThe text was updated successfully, but these errors were encountered: