search

dusk-network / node-installer

Easy to use tool to install a Dusk node with extra utilities
Mozilla Public License 2.0
21 stars 17 forks source link

`ufw` is never enabled despite setting rules #86

Closed nekonimous closed 1 month ago

nekonimous commented 1 month ago

Summary

The installer sets ufw rules here: https://github.com/dusk-network/node-installer/blob/6e5ce663d4a5a8ed9472da4456be29a49b68c385/node-installer.sh#L163-L165

But since ufw enable is never called and ufw is disabled by default, they are pretty much a noop.

One solution would be to call ufw enable afterwards. However, beware that this also prevents SSH access with the present rules so they probably should include port 22?

HDauven commented 1 month ago

Summary

The installer sets ufw rules here:

https://github.com/dusk-network/node-installer/blob/6e5ce663d4a5a8ed9472da4456be29a49b68c385/node-installer.sh#L163-L165

But since ufw enable is never called and ufw is disabled by default, they are pretty much a noop.

One solution would be to call ufw enable afterwards. However, beware that this also prevents SSH access with the present rules so they probably should include port 22?

Thank you!

It might be that with our recommended setup it's already enabled by default, but PR #87 should be a bit more defensive. 👍

sanderdms commented 1 month ago

I am a bit worried that assuming everyone is using port 22 will lock out users who have changed default port 22.

Possible solutions:

# Auto-detect SSH port(s)
ssh_ports=$(ss -tnlp | grep -oP '(?<=:)\d+(?=\s+.*sshd)' | sort -u)

# Validate each detected port and apply UFW rules
valid_ports=()
for port in $ssh_ports; do
    if [ "$port" -ge 1 ] && [ "$port" -le 65535 ]; then
        valid_ports+=($port)
    fi
done

# If no valid port is found, default to port 22
if [ ${#valid_ports[@]} -eq 0 ]; then
    valid_ports=(22)
fi

echo "Using SSH port(s): ${valid_ports[*]}"
echo "Setting up local firewall"
for port in $valid_ports; do
    ufw allow "$port"/tcp
done
ufw allow 8080/tcp
ufw allow 9000/udp
ufw enable
HDauven commented 1 month ago

I am a bit worried that assuming everyone is using port 22 will lock out users who have changed default port 22.

Possible solutions:

  • Resolve this hypothetical issue when it pops up.
  • Don't enforce UFW and make separate machine hardening guide.
  • Prompt asking for ssh port number.
  • add ufw allow ssh (not certain if this would work)
  • Auto detecting active ssh sessions port(s) and apply rule(s) accordingly. 
# Auto-detect SSH port(s)
ssh_ports=$(ss -tnlp | grep -oP '(?<=:)\d+(?=\s+.*sshd)' | sort -u)

# Validate each detected port and apply UFW rules
valid_ports=()
for port in $ssh_ports; do
    if [ "$port" -ge 1 ] && [ "$port" -le 65535 ]; then
        valid_ports+=($port)
    fi
done

# If no valid port is found, default to port 22
if [ ${#valid_ports[@]} -eq 0 ]; then
    valid_ports=(22)
fi

echo "Using SSH port(s): ${valid_ports[*]}"
echo "Setting up local firewall"
for port in $valid_ports; do
    ufw allow "$port"/tcp
done
ufw allow 8080/tcp
ufw allow 9000/udp
ufw enable

Creating a separate hardening guide is out of scope for this repo but part of our documentation work

The prompting is a good idea but not ideal for fully automated installs. We can do it with a non-interactive flag that sets 22 and some other values as defaults, and prompts the user in interactive mode for everything else