Binding to 0.0.0.0 and use of empty passwords are bad practices

[akondasif]

Greetings,

I am a security researcher, who is looking for security smells in Puppet scripts. I noticed instances of binding to 0.0.0.0. Binding an address to 0.0.0.0 indicates allowing connections from all IP addresses. I would like to draw attention to these instances. Binding to 0.0.0.0 may lead to denial of service attacks. Practitioners have reported how binding to 0.0.0.0 facilitated security issues for MySQL (https://serversforhackers.com/c/mysql-network-security), Memcached (https://news.ycombinator.com/item?id=16493480), and Kibana (https://www.elastic.co/guide/en/kibana/5.0/breaking-changes-5.0.html).

I suggest to use a dedicated IP address other than 0.0.0.0.

Any feedback is appreciated.

Source: https://github.com/Yelp/puppet-uchiwa/blob/master/manifests/params.pp

[akondasif]

I also noticed instances of empty passwords. Empty passwords increase the guessability of passwords. The Common Weakness Organization (CWE) identifies use of empty passwords as a security weakness (https://cwe.mitre.org/data/definitions/258.html).

I suggest that to follow the strong password guidelines, and manage passwords with hiera.

Source: https://github.com/Yelp/puppet-uchiwa/blob/master/manifests/params.pp

[solarkennedy]

We are mimicking the defaults provided by upstream: https://docs.uchiwa.io/uchiwa/1.0/getting-started/configuration/#uchiwa-configuration

I would accept a pull request to do a default of 127.0.0.1 and to have some sort of default password, granted this is an open source project, so everyone would see what that default password would be.

[akondasif]

Thanks for the valuable feedback. I have submitted a PR https://github.com/Yelp/puppet-uchiwa/pull/90