Disable SSH daemon on 60022

By: Pawel Pietrzynski named 02 Apr 2019 at 9:42 a.m. CDT

5 Responses
Pawel Pietrzynski gravatar
Our security scan noticed SSHD listening on port 60022. It appears it's GLUU given it's under */opt/gluu-server-3.1.6/etc/ssh/sshd_config:Port 60022 The only usage references I can find to the port in all of GLUU is two cases * cluster installation: ssh -o IdentityFile=/etc/gluu/keys/gluu-console -o Port=60022 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PubKeyAuthentication=yes root@localhost "cd /install/community-edition-setup && ./setup.py -s -e -n -f setup.properties" * changing hostname: /opt/gluu-server-3.1.6/install/community-edition-setup/static/scripts/change_hostname/change_gluu_host.py: ssh -o IdentityFile=/etc/gluu/keys/gluu-console -o Port=60022 -o LogLevel=QUIET -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o PubkeyAuthentication=yes root@localhost \'{}\' With the above please either turn off the port unless it's necessary for GLUU to operate normally or justify/document the port usage and use cases as well as protections. Right now it looks like it gives remote access to "root", which is a showstopper.
Rhel 7.6
closed

Answers

By Aliaksandr Samuseu staff 02 Apr 2019 at 9:49 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Pawel. Its main purpose is to allow you to access container. Effectively, when you type `# service gluu-server-3.x.x login` it starts container and then launches ssh client and connects to this internally running sshd daemon. >Right now it looks like it gives remote access to "root", which is a showstopper. It runs at localhost interface and thus isn't accessible from outside world, until something is really wrong with the system (i.e. a vulnerability exists in kernel/network drivers). Is it really that much of a problem?

By Pawel Pietrzynski named 02 Apr 2019 at 9:55 a.m. CDT

Copy
Pawel Pietrzynski gravatar
Hi Alex, If that's the intention, that's not true because it's listening on all interfaces. ``` Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:29130 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:60022 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:wsmans 0.0.0.0:* LISTEN ``` I don't have an issue with your explanation of the use case, configuration will need to be adjusted to listen on localhost only.

By Aliaksandr Samuseu staff 02 Apr 2019 at 10:06 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
You are right, I've just checked it myself, and see the same picture. I've made a request internally about it. We'll get back to you after discussing it with the dev team.

By Aliaksandr Samuseu staff 02 Apr 2019 at 12:12 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Pawel, by adding next lines to `/etc/ssh/sshd_config` (inside container) I was able to make it listen at localhost only: ``` ListenAddress 127.0.0.1 ListenAddress ::1 ``` We haven't been able to come up with any issues this change could produce, so you could try it in your live systems. It will be included and properly QA-ed in upcoming 4.0 release.

By Pawel Pietrzynski named 02 Apr 2019 at 12:18 p.m. CDT

Copy
Pawel Pietrzynski gravatar
Thank you, yes I did try it myself already using "localhost" and the application seems to be running well. If I do see any unusual behaviour that could be linked I'll let you know, for now I'll patch it myself until 4.0 version comes out.

Post an answer