Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redis: listen on localhost by default #100192

Closed
nh2 opened this issue Oct 11, 2020 · 2 comments · Fixed by #100195
Closed

Redis: listen on localhost by default #100192

nh2 opened this issue Oct 11, 2020 · 2 comments · Fixed by #100195
Labels
6.topic: nixos

Comments

@nh2
Copy link
Contributor

nh2 commented Oct 11, 2020

The redis service module listens on all interfaces by default (I found it via simple-nixos-mailserver which inherits nixpkgs' default):

nixpkgs/nixos/modules/services/databases/redis.nix

Lines 88 to 93 in 10acf9a

bind = mkOption {
type = with types; nullOr str;
default = null; # All interfaces
description = "The IP interface to bind to.";
example = "127.0.0.1";
};

I think that is bad, because that is an insecure configuration. Because many people get owned by that, Redis has a protection against it; without further configuration, connecting to the listening port via TCP, it outputs:

-DENIED Redis is running in protected mode because protected mode is enabled, no bind address was specified, no authentication password is requested to clients. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 1) Just disable protected mode sending the command 'CONFIG SET protected-mode no' from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent. 2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to 'no', and then restarting the server. 3) If you started the server manually just for testing, restart it with the '--protected-mode no' option. 4) Setup a bind address or an authentication password. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.

But it's still listening on the port.

This has been that way for 7 yeas since the module was added in 6b4d76c by @zefhemel.

I think many NixOS modules that define services which are usually used unauthenticated by now make them only listen to 127.0.0.1 by default.

So I think we should do that with the redis module as well.

CC recent service module committers @Mic92 @JJJollyjim @flokli @peti @bjornfor @polynomial @offlinehacker

CC simple-nixos-mailserver contributors @r-raymond @phdoerfler @nlewo @eqyiel
@nh2
Copy link
Contributor Author

nh2 commented Oct 11, 2020

Evindence that pretty much all other DB servers listen to 127.0.0.1 by default in NixOS:

memcached

nixpkgs/nixos/modules/services/databases/memcached.nix

Lines 28 to 31 in 7badbf1

listen = mkOption {
default = "127.0.0.1";
description = "The IP address to bind to";
};

postgresql

nixpkgs/nixos/modules/services/databases/postgresql.nix

Lines 184 to 192 in 7badbf1

enableTCPIP = mkOption {
type = types.bool;
default = false;
description = ''
Whether PostgreSQL should listen on all network interfaces.
If disabled, the database can only be accessed via its Unix
domain socket or via TCP connections to localhost.
'';
};

neo4j

nixpkgs/nixos/modules/services/databases/neo4j.nix

Lines 154 to 156 in 7badbf1

defaultListenAddress = mkOption {
type = types.str;
default = "127.0.0.1";

couchdb

nixpkgs/nixos/modules/services/databases/couchdb.nix

Lines 108 to 110 in 7badbf1

bindAddress = mkOption {
type = types.str;
default = "127.0.0.1";

mongodb

nixpkgs/nixos/modules/services/databases/mongodb.nix

Lines 48 to 51 in 7badbf1

bind_ip = mkOption {
default = "127.0.0.1";
description = "IP to bind to";
};

influxdb

nixpkgs/nixos/modules/services/databases/influxdb.nix

Line 10 in 7badbf1

bind-address = ":8088";

nixpkgs/nixos/modules/services/databases/influxdb.nix

Line 176 in 7badbf1

bindAddr = (ba: if hasPrefix ":" ba then "127.0.0.1${ba}" else "${ba}")(toString configOptions.http.bind-address);

cassandra

nixpkgs/nixos/modules/services/databases/influxdb.nix

Line 176 in 7badbf1

bindAddr = (ba: if hasPrefix ":" ba then "127.0.0.1${ba}" else "${ba}")(toString configOptions.http.bind-address);

cockroachdb

nixpkgs/nixos/modules/services/databases/cockroachdb.nix

Lines 36 to 41 in 7badbf1

addressOption = descr: defaultPort: {
address = mkOption {
type = types.str;
default = "localhost";
description = "Address to bind to for ${descr}";
};

@nh2 nh2 mentioned this issue Oct 11, 2020
Merged
10 tasks
@nh2
Copy link
Contributor Author

nh2 commented Oct 11, 2020

Fix in PR #100195.

nh2 added a commit to nh2/nixpkgs that referenced this issue Nov 8, 2020
@nh2
redis service: Listen on localhost by default. Fixes NixOS#100192.
169ab0b 
All other database servers in NixOS also use this safe-by-default setting.
This was referenced Jul 15, 2021
Open
Draft
nh2 added a commit to nh2/nixpkgs that referenced this issue Nov 1, 2021
@nh2
nixos/smokeping: Don't listen on all interfaces by default.
4eee911 
In general, NixOS services are configured such that by default
they are not exposed to the Internet for security, see NixOS#100192.
erictapen pushed a commit that referenced this issue Nov 1, 2021
@nh2 @erictapen
nixos/smokeping: Don't listen on all interfaces by default.
c7ed746 
In general, NixOS services are configured such that by default
they are not exposed to the Internet for security, see #100192.
@ncfavier ncfavier mentioned this issue Feb 28, 2022
Merged
nh2 added a commit to nh2/nixpkgs that referenced this issue Aug 28, 2022
@nh2
nixos/vaultwarden: Bind to localhost by default. See NixOS#100192
250713c
@nh2 nh2 mentioned this issue Aug 28, 2022
Merged
2 tasks
@dotlambda dotlambda mentioned this issue Feb 15, 2023
Merged
13 tasks
nh2 added a commit that referenced this issue Jul 1, 2023
@nh2
nixos/vaultwarden: Bind to localhost by default. See #100192
080757c
mitchmindtree pushed a commit to mitchmindtree/nixpkgs that referenced this issue Jul 2, 2023
@nh2 @mitchmindtree
nixos/vaultwarden: Bind to localhost by default. See NixOS#100192
53dc412
mitchmindtree pushed a commit to mitchmindtree/nixpkgs that referenced this issue Jul 2, 2023
@nh2 @mitchmindtree
nixos/vaultwarden: Bind to localhost by default. See NixOS#100192
16f133f
nh2 added a commit to nh2/nixpkgs that referenced this issue Nov 10, 2023
@nh2
manual: Don't suggest exposing VM port to local network.
cd8a00b 
The setting

    QEMU_NET_OPTS="hostfwd=tcp::2222-:22"

caused the VM's port 2222 to be advertised on the host as
`0.0.0.0:2222`, thus anybody in the local network of the host
could SSH into the VM.
Instead, port-forward to localhost only.

Use `127.0.0.1` also on the VM side, otherwise connections to
services that, in the VM, bind to `127.0.0.1` only
(doing the safe approach) do not work.

See e.g. NixOS#100192
for more info why localhost listening is the best default.
Mic92 pushed a commit that referenced this issue Nov 10, 2023
@nh2 @Mic92
manual: Don't suggest exposing VM port to local network.
5d73d95 
The setting

    QEMU_NET_OPTS="hostfwd=tcp::2222-:22"

caused the VM's port 2222 to be advertised on the host as
`0.0.0.0:2222`, thus anybody in the local network of the host
could SSH into the VM.
Instead, port-forward to localhost only.

Use `127.0.0.1` also on the VM side, otherwise connections to
services that, in the VM, bind to `127.0.0.1` only
(doing the safe approach) do not work.

See e.g. #100192
for more info why localhost listening is the best default.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
6.topic: nixos
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

redis service: Listen on localhost by default nh2/nixpkgs
2 participants
@veprbl @nh2