From 141fedd0a6e36992ff6977f496a92682f6281f4a Mon Sep 17 00:00:00 2001 From: sanket Date: Wed, 31 Jan 2024 22:52:28 +0530 Subject: [PATCH 1/4] warning for using localhost in security-best-practices --- docs/security-best-practices.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/security-best-practices.md b/docs/security-best-practices.md index f68fafe9a73..aac8ff71984 100644 --- a/docs/security-best-practices.md +++ b/docs/security-best-practices.md @@ -219,3 +219,22 @@ collection mechanisms that cannot natively be run by the Collector (e.g. FluentBit). Subprocesses expose a completely separate attack vector that would depend on the subprocess itself. In general, care should be taken before running any subprocesses alongside the Collector. + +### Localhost usage + +When setting up security or specifying network locations, people often use `localhost` Be cautious! In some setups, `localhost` might undergo DNS resolution and end up with an unexpected IP, risking security. + +Risk Alert: +If `localhost` resolves to a different IP due to DNS, your data might accidentally leak outside. + +How to Stay Safe: +Always use these IPs instead: +``` +IPv4: 127.0.0.1 +IPv6: ::1 +``` +IPv6 Reminder: +If you're using IPv6, make sure your system supports both IPv4 and IPv6 loopback addresses to avoid issues. + +Top Tip: +For clarity and safety, directly mention the IP (`127.0.0.1`) instead of relying only on `localhost`, especially in sensitive setups. Keep things consistent across different networks. From cb6af59a099c1407a49c2c97ed2c80dadf51c181 Mon Sep 17 00:00:00 2001 From: sanket Date: Thu, 1 Feb 2024 00:15:17 +0530 Subject: [PATCH 2/4] resolved the requested changes --- docs/security-best-practices.md | 33 +++++++++++++-------------------- 1 file changed, 13 insertions(+), 20 deletions(-) diff --git a/docs/security-best-practices.md b/docs/security-best-practices.md index aac8ff71984..cd552033dc5 100644 --- a/docs/security-best-practices.md +++ b/docs/security-best-practices.md @@ -150,6 +150,18 @@ For more information, see [CWE-1327](https://cwe.mitre.org/data/definitions/1327 To change the default endpoint to be `localhost`-bound in all components, enable the `component.UseLocalHostAsDefaultHost` feature gate. This feature gate will be enabled by default in the Collector in a future release. + +If `localhost` resolves to a different IP due to DNS then explicitly use these IPs instead: +``` +IPv4: 127.0.0.1 +IPv6: ::1 +``` +IPv6 Reminder: +In IPv6 setups, ensure your system supports both IPv4 and IPv6 loopback addresses to avoid issues. + +Best Practice: +For clarity and safety, consider explicitly mentioning the IP (`127.0.0.1`) instead of relying solely on `localhost`, especially in sensitive setups. Keep things consistent across different networks. + ## Processors Processors sit between receivers and exporters. They are responsible for @@ -218,23 +230,4 @@ Extensions may also be used to run subprocesses. This can be useful when collection mechanisms that cannot natively be run by the Collector (e.g. FluentBit). Subprocesses expose a completely separate attack vector that would depend on the subprocess itself. In general, care should be taken before -running any subprocesses alongside the Collector. - -### Localhost usage - -When setting up security or specifying network locations, people often use `localhost` Be cautious! In some setups, `localhost` might undergo DNS resolution and end up with an unexpected IP, risking security. - -Risk Alert: -If `localhost` resolves to a different IP due to DNS, your data might accidentally leak outside. - -How to Stay Safe: -Always use these IPs instead: -``` -IPv4: 127.0.0.1 -IPv6: ::1 -``` -IPv6 Reminder: -If you're using IPv6, make sure your system supports both IPv4 and IPv6 loopback addresses to avoid issues. - -Top Tip: -For clarity and safety, directly mention the IP (`127.0.0.1`) instead of relying only on `localhost`, especially in sensitive setups. Keep things consistent across different networks. +running any subprocesses alongside the Collector. \ No newline at end of file From 43550a8f832d1b7122336654a7699c640ea511e8 Mon Sep 17 00:00:00 2001 From: Sanket Teli <104385297+Sanket-0510@users.noreply.github.com> Date: Sun, 18 Feb 2024 23:16:28 +0000 Subject: [PATCH 3/4] its just an edge case --- docs/security-best-practices.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/security-best-practices.md b/docs/security-best-practices.md index cd552033dc5..3fb9183b54f 100644 --- a/docs/security-best-practices.md +++ b/docs/security-best-practices.md @@ -159,7 +159,6 @@ IPv6: ::1 IPv6 Reminder: In IPv6 setups, ensure your system supports both IPv4 and IPv6 loopback addresses to avoid issues. -Best Practice: For clarity and safety, consider explicitly mentioning the IP (`127.0.0.1`) instead of relying solely on `localhost`, especially in sensitive setups. Keep things consistent across different networks. ## Processors From 5fac17aa680ca5d5f667af5f792a46402dee04a0 Mon Sep 17 00:00:00 2001 From: Sanket Teli <104385297+Sanket-0510@users.noreply.github.com> Date: Wed, 6 Mar 2024 16:56:56 +0530 Subject: [PATCH 4/4] Update docs/security-best-practices.md Co-authored-by: Pablo Baeyens --- docs/security-best-practices.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/docs/security-best-practices.md b/docs/security-best-practices.md index 204b6f2329b..8c57d09ebc9 100644 --- a/docs/security-best-practices.md +++ b/docs/security-best-practices.md @@ -151,15 +151,7 @@ For more information, see [CWE-1327](https://cwe.mitre.org/data/definitions/1327 To change the default endpoint to be `localhost`-bound in all components, enable the `component.UseLocalHostAsDefaultHost` feature gate. This feature gate will be enabled by default in the Collector in a future release. -If `localhost` resolves to a different IP due to DNS then explicitly use these IPs instead: -``` -IPv4: 127.0.0.1 -IPv6: ::1 -``` -IPv6 Reminder: -In IPv6 setups, ensure your system supports both IPv4 and IPv6 loopback addresses to avoid issues. - -For clarity and safety, consider explicitly mentioning the IP (`127.0.0.1`) instead of relying solely on `localhost`, especially in sensitive setups. Keep things consistent across different networks. +If `localhost` resolves to a different IP due to your DNS settings then explicitly use the loopback IP instead: `127.0.0.1` for IPv4 or `::1` for IPv6. In IPv6 setups, ensure your system supports both IPv4 and IPv6 loopback addresses to avoid issues. ## Processors