Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redis: listen on localhost by default #100192

Closed
nh2 opened this issue Oct 11, 2020 · 2 comments · Fixed by #100195
Closed

Redis: listen on localhost by default #100192

nh2 opened this issue Oct 11, 2020 · 2 comments · Fixed by #100195
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS

Comments

@nh2
Copy link
Contributor

nh2 commented Oct 11, 2020

The redis service module listens on all interfaces by default (I found it via simple-nixos-mailserver which inherits nixpkgs' default):

bind = mkOption {
type = with types; nullOr str;
default = null; # All interfaces
description = "The IP interface to bind to.";
example = "127.0.0.1";
};

I think that is bad, because that is an insecure configuration. Because many people get owned by that, Redis has a protection against it; without further configuration, connecting to the listening port via TCP, it outputs:

-DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent. 2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server. 3) If you started the server manually just for testing, restart it with the '--protected-mode no' option. 4) Setup a bind address or an authentication password. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.

But it's still listening on the port.

This has been that way for 7 yeas since the module was added in 6b4d76c by @zefhemel.

I think many NixOS modules that define services which are usually used unauthenticated by now make them only listen to 127.0.0.1 by default.

So I think we should do that with the redis module as well.


CC recent service module committers @Mic92 @JJJollyjim @flokli @peti @bjornfor @polynomial @offlinehacker

CC simple-nixos-mailserver contributors @r-raymond @phdoerfler @nlewo @eqyiel

@nh2
Copy link
Contributor Author

nh2 commented Oct 11, 2020

Evindence that pretty much all other DB servers listen to 127.0.0.1 by default in NixOS:

memcached

listen = mkOption {
default = "127.0.0.1";
description = "The IP address to bind to";
};

postgresql

enableTCPIP = mkOption {
type = types.bool;
default = false;
description = ''
Whether PostgreSQL should listen on all network interfaces.
If disabled, the database can only be accessed via its Unix
domain socket or via TCP connections to localhost.
'';
};

neo4j

defaultListenAddress = mkOption {
type = types.str;
default = "127.0.0.1";

couchdb

bindAddress = mkOption {
type = types.str;
default = "127.0.0.1";

mongodb

bind_ip = mkOption {
default = "127.0.0.1";
description = "IP to bind to";
};

influxdb

bindAddr = (ba: if hasPrefix ":" ba then "127.0.0.1${ba}" else "${ba}")(toString configOptions.http.bind-address);

cassandra

bindAddr = (ba: if hasPrefix ":" ba then "127.0.0.1${ba}" else "${ba}")(toString configOptions.http.bind-address);

cockroachdb

addressOption = descr: defaultPort: {
address = mkOption {
type = types.str;
default = "localhost";
description = "Address to bind to for ${descr}";
};

@nh2
Copy link
Contributor Author

nh2 commented Oct 11, 2020

Fix in PR #100195.

@veprbl veprbl added the 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS label Oct 11, 2020
nh2 added a commit to nh2/nixpkgs that referenced this issue Nov 8, 2020
All other database servers in NixOS also use this safe-by-default setting.
nh2 added a commit to nh2/nixpkgs that referenced this issue Nov 1, 2021
In general, NixOS services are configured such that by default
they are not exposed to the Internet for security, see NixOS#100192.
erictapen pushed a commit that referenced this issue Nov 1, 2021
In general, NixOS services are configured such that by default
they are not exposed to the Internet for security, see #100192.
@dotlambda dotlambda mentioned this issue Feb 15, 2023
13 tasks
mitchmindtree pushed a commit to mitchmindtree/nixpkgs that referenced this issue Jul 2, 2023
nh2 added a commit to nh2/nixpkgs that referenced this issue Nov 10, 2023
The setting

    QEMU_NET_OPTS="hostfwd=tcp::2222-:22"

caused the VM's port 2222 to be advertised on the host as
`0.0.0.0:2222`, thus anybody in the local network of the host
could SSH into the VM.
Instead, port-forward to localhost only.

Use `127.0.0.1` also on the VM side, otherwise connections to
services that, in the VM, bind to `127.0.0.1` only
(doing the safe approach) do not work.

See e.g. NixOS#100192
for more info why localhost listening is the best default.
Mic92 pushed a commit that referenced this issue Nov 10, 2023
The setting

    QEMU_NET_OPTS="hostfwd=tcp::2222-:22"

caused the VM's port 2222 to be advertised on the host as
`0.0.0.0:2222`, thus anybody in the local network of the host
could SSH into the VM.
Instead, port-forward to localhost only.

Use `127.0.0.1` also on the VM side, otherwise connections to
services that, in the VM, bind to `127.0.0.1` only
(doing the safe approach) do not work.

See e.g. #100192
for more info why localhost listening is the best default.
@nh2 nh2 mentioned this issue Oct 16, 2024
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants