Digital Ocean Firewall

All Ports Open

Risk Level: High

Description: 

This plugin determines if all ports are open to the public. Also, it consists of valid steps or measures to be taken to avoid unhealthy vulnerability to all IP addresses ranges i.e. 0.0.0.0/0. While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services should be restricted to known IP addresses.

About the Service :

DigitalOcean Firewall:

DigitalOcean Cloud Firewalls are an organization-based, stateful firewall administration for Droplets given at no extra expense. Cloud firewalls block all traffic that isn't explicitly allowed by a standard. Firewalls place an obstruction between your servers and different machines in the organization to safeguard them from outer assaults. Firewalls can behave based, which are designed on a for every waiter premise utilizing administrations like IPTables or UFW. Others, such as DigitalOcean Cloud Firewalls, are network-based and stop traffic at the organization layer before it arrives at the server.

Impact : 

Firewalls for the Droplets are used to control the incoming and outgoing traffic. There are rules defined under firewalls that can allow certain IP addresses to access the droplets with the protocol and the Ports specified. If a large range of IP addresses is allowed, an attacker can scan the ports and exploit the vulnerabilities of hosted applications without easy traceability.

Steps to Reproduce :

  1. Login to the digital ocean console.
  2. Select Networking under the MANAGE section.
  3. If the Port Range under Inbound Rules and/or Outbound Rules states All ports, visit the Steps for Remediation section.
  4. Repeat the process for other firewalls as well.

Steps for Remediation :

  1. Login to the digital ocean console.
  2. Select Networking under the MANAGE section.
  3. The Networking screen will appear, go to Firewalls tab.
  4. If the Port Range under Inbound Rules and/or Outbound Rules states All ports follow step 4.
  5. Click on More under Inbound Rules/Outbound rules (the section which is open for all ports) and select the option of Edit Rule.
  6. Now, under the port input field, enter the required port numbers through which incoming requests (in case of setting ports under incoming rules) or outgoing requests (incase of setting ports under outgoing rules) should be allowed.
  7. Repeat the process for other non-backed up droplets as well.