Closed nekonimous closed 1 month ago
Summary
The installer sets
ufw
rules here:But since
ufw enable
is never called andufw
is disabled by default, they are pretty much a noop.One solution would be to call
ufw enable
afterwards. However, beware that this also prevents SSH access with the present rules so they probably should include port 22?
Thank you!
It might be that with our recommended setup it's already enabled by default, but PR #87 should be a bit more defensive. 👍
I am a bit worried that assuming everyone is using port 22 will lock out users who have changed default port 22.
Possible solutions:
ufw allow ssh
(not certain if this would work)# Auto-detect SSH port(s)
ssh_ports=$(ss -tnlp | grep -oP '(?<=:)\d+(?=\s+.*sshd)' | sort -u)
# Validate each detected port and apply UFW rules
valid_ports=()
for port in $ssh_ports; do
if [ "$port" -ge 1 ] && [ "$port" -le 65535 ]; then
valid_ports+=($port)
fi
done
# If no valid port is found, default to port 22
if [ ${#valid_ports[@]} -eq 0 ]; then
valid_ports=(22)
fi
echo "Using SSH port(s): ${valid_ports[*]}"
echo "Setting up local firewall"
for port in $valid_ports; do
ufw allow "$port"/tcp
done
ufw allow 8080/tcp
ufw allow 9000/udp
ufw enable
I am a bit worried that assuming everyone is using port 22 will lock out users who have changed default port 22.
Possible solutions:
- Resolve this hypothetical issue when it pops up.
- Don't enforce UFW and make separate machine hardening guide.
- Prompt asking for ssh port number.
- add
ufw allow ssh
(not certain if this would work)- Auto detecting active ssh sessions port(s) and apply rule(s) accordingly.
# Auto-detect SSH port(s) ssh_ports=$(ss -tnlp | grep -oP '(?<=:)\d+(?=\s+.*sshd)' | sort -u) # Validate each detected port and apply UFW rules valid_ports=() for port in $ssh_ports; do if [ "$port" -ge 1 ] && [ "$port" -le 65535 ]; then valid_ports+=($port) fi done # If no valid port is found, default to port 22 if [ ${#valid_ports[@]} -eq 0 ]; then valid_ports=(22) fi echo "Using SSH port(s): ${valid_ports[*]}" echo "Setting up local firewall" for port in $valid_ports; do ufw allow "$port"/tcp done ufw allow 8080/tcp ufw allow 9000/udp ufw enable
Creating a separate hardening guide is out of scope for this repo but part of our documentation work
The prompting is a good idea but not ideal for fully automated installs. We can do it with a non-interactive flag that sets 22 and some other values as defaults, and prompts the user in interactive mode for everything else
Summary
The installer sets
ufw
rules here: https://github.com/dusk-network/node-installer/blob/6e5ce663d4a5a8ed9472da4456be29a49b68c385/node-installer.sh#L163-L165But since
ufw enable
is never called andufw
is disabled by default, they are pretty much a noop.One solution would be to call
ufw enable
afterwards. However, beware that this also prevents SSH access with the present rules so they probably should include port 22?