search

letheanVPN / lthn-app-vpn

Client/Server dVPN
https://www.lt.hn
European Union Public License 1.2
36 stars 16 forks source link

Possible Security Problems #119

Closed ctindall closed 4 years ago

ctindall commented 4 years ago

Hey there! I noticed some possible problems in some code in this repo. A quick summary of a few of them is below, but let me know if you're interested in seeing a full report or talking about cloud security in general.

severity: serious

filename: ./server/aws/vpc.yaml

line number(s): [172]

resource(s):

Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration

severity: warning

filename: ./server/aws/vpc.yaml

line number(s): [63, 77]

resource(s):

EC2 Subnet should not have MapPublicIpOnLaunch set to true

severity: warning

filename: ./server/aws/nodes.yaml

line number(s): [206, 180]

resource(s):

Resource found with an explicit name, this disallows updates that require replacement of this resource

severity: warning

filename: ./server/aws/nodes.yaml

line number(s): [152]

resource(s):

Security Groups found with ingress cidr that is not /32

valiant1x commented 4 years ago

Hi @ctindall, thanks very much for sharing this information. I discussed your findings with the person responsible for engineering and overseeing our cloud solutions, @lee-lethean. At this time we do not feel any changes are justified, but we appreciate your report. We feel these are generally minor security risks, and changing the deployment configuration to adapt some of these changes would create a lot of unnecessary difficulty.

Please tag me @valiant1x to reopen this issue.