Digital Ocean Firewall

Open Redis

Risk Level: High

Description

This plugin determines if TCP port 6379 for Redis is open to the public. Also, it consists of valid steps or measures to be taken to avoid unhealthy vulnerability to all IP addresses ranges i.e. 0.0.0.0/0. While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services should be restricted to known IP addresses.

About the Service

Digital Ocean Firewall:

DigitalOcean Cloud Firewalls are an organization-based, stateful firewall administration for Droplets given at no extra expense. Cloud firewalls block all traffic that isn't explicitly allowed by a standard. Firewalls place an obstruction between your servers and different machines in the organization to safeguard them from outer assaults. Firewalls can behave based, which are designed on a for every waiter premise utilizing administrations like IPTables or UFW. Others, such as DigitalOcean Cloud Firewalls, are network-based and stop traffic at the organization layer before it arrives at the server.

Impact

Redis is an open-source (BSD authorized), in-memory information structure store, utilized as a data set, reserve, and message representative. Redis gives information constructions, for example, strings, hashes, records, sets, arranged sets with range questions, bitmaps, geospatial files, and streams. Redis has underlying replication, Lua prearranging, LRU ousting, exchanges, and various degrees of on-plate ingenuity, and gives high accessibility through Redis Sentinel and programmed apportioning with Redis Cluster. This plugin guarantees that DigitalOcean firewall rules do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 6379 in order to reduce the attack and harm to the surface and protect the virtual machine (VM) droplets associated with these rules. TCP port 6379 is utilized by Redis.

Steps to Reproduce

Using Digital Ocean Console-

In order to determine if your Digital Ocean Firewall Rules permit access without restrictions on TCP port 6379, follow the steps mentioned below:

  1. Firstly use the administrator account for signing in to Digital Ocean Console. A dashboard will appear on the screen.
  2. Now, from the left Navigation Panel select the name of the Project you want to investigate in.
  3. After selecting the Project, under the Manage section in the left navigation panel, click on the Networking blade.
  4. A Networking page will appear on the screen, select the Firewall tab from the top navigation bar.
  5. A Firewall Dashboard will appear on the screen with a list of all the Firewalls available in the current project.
  6. Click on the name of the firewall you want to investigate in. A new Firewall Page with all the details of inbound and outbound rules will appear on the screen.
  7. Check among the list of Inbound Rules if you may find any Firewall Rule with Type: Custom/All TCP, Protocol: TCP port 6379 then this shows that there exist firewall rules that allow unrestricted access on TCP port 6379, hence it is vulnerable as Port TCP 6379 for VNC Server is open to the public.
  8. Check out the Steps for Remediation to fix this issue.
  9. Repeat the steps mentioned above for reviewing accounts in other folders/projects associated with other Digital Ocean organizations deployed within your record.

Steps for Remediation

In order to update or reestablish your VPC network firewall rules configuration to restrict VNC Server access for trusted authorized IP addresses or IP ranges only, follow the steps given below:

  1. Firstly use the administrator account for signing in to Digital Ocean Console. A dashboard will appear on the screen.
  2. Now, from the left Navigation Panel select the name of the Project you want to investigate in.
  3. After selecting the Project, under the Manage section in the left navigation panel, click on the Networking blade.
  4. A Networking page will appear on the screen, select the Firewall tab from the top navigation bar.
  5. A Firewall Dashboard will appear on the screen with a list of all the Firewalls available in the current project.
  6. Click on the name of the firewall you want to investigate in. A new Firewall Page with all the details of inbound and outbound rules will appear on the screen.
  7. Check among the list of Inbound Rules if you may find any Firewall Rule with Type: Custom/All TCP, Protocol: TCP, and Port: 6379 then this shows that there exist firewall rules that allow unrestricted access to TCP port 6379, hence it is vulnerable as Port TCP 6379 for VNC Server is open to the public.
  8. Click on the Edit Rule button available on the right under the More dropdown link.
  9. Remove the non-compliant or non-biddable 0.0.0.0/0 IP address range under the Source IP ranges configuration section. This is done to deny public inbound access on port: 6379 of TCP in the VNC Server.
  10. Now, type the IP address ranges into the Source IP ranges configuration section. The entered IP address range must be in desired CIDR format like 10.128.0.0/9. The IP range can have addressed included in your VPC network and even outside of your network.
  11.  Now click on the Save button to apply the changes done so far.
  12. You may repeat steps 7-11 for other firewall rules with TCP port:6379 in your Digital Ocean Project.
  13. You may repeat the above steps for other Digital Ocean Projects under your organization.