If one have to install docker, docker-compose, kubectl in an AWS ubuntu instance then which inbound rules should add in the security group of the instance ?
For SSHing into the server, you will be needing TCP port 22 open for your public/private IP. If you are accessing the server over Internet, and your public IP changes as per ISP, you can allow 0.0.0.0/0 for TCP port 22 in the ingress rule for the security group.
Further, for installing packages inside the server, you need to have Internet connectivity from the server itself, therefore, you need to have TCP ports opened for Internet in the egress rules of the security group, mostly you will be needed to allow TCP port 443 for HTTPS connection (or TCP port 80 for HTTP, however depends on how/from where you are installing the packages).
Related
i've setup a rasberry server with open media vault on board, so i'm using docker to setup multiple services such as:
pihole
plex
nextcloud
and much more
i would like to expose some of them on internet, while others only on LAN.
For internet i will use SSL from letsencrypt, while for LAN i can use a self-signed certificate.
Right now, i'm thinking to create multiple domains on two ports, one dedicated for internet and the other for lan, but... are there better alternatives (also from a security standpoint) ?
P.S.: right now i'm not considering VPN as an alternative
for the people who will read this, i solved in this way using only a nginx instance (on linuxserver swag image).
Created another server block (ports 8443)
Created a self signed certificate for the new server block
Opened on the router and port forwarded on 443 in order to expose only what i want to expose publicly using proxy-conf
Did the same for server block 8443 which is not exposed, so no port forwarding
I have a kubernetes cluster that exposes Postgresql on port 5432 via this information, this works like a charm. I'm currently testing this on my machine, and it works on db.x.io (x being my domain). But it also works on localhost. This seems fair, as it only creates a binding upon port 5432 to my service.
How can i also filter on subdomain? So its only accessible via db.x.io
There is not much that TCP protocol has in terms of filtering. This is because TCP protocol uses only IP:Port combination, no headers like in HTTP. Your subdomain is resolved by DNS to IP address before connection is made.
According to Nginx documentation you can do the following:
Restricting Access by IP Address
Limiting the Number of TCP Connections
Limiting the Bandwidth
You can try to limit access from localhost by adding deny 127.0.0.1 to nginx configuration, however it will most likely break the Postgresql instead. So it is a risky suggestion.
For kubernetes ingress object it would be:
metadata:
annotations:
nginx.org/server-snippets: |
deny 127.0.0.1;
Based on Nginx documentation.
I have created a firewall rule in VPC network for port 22 by assigning an IP with the port e.g (192.168.xx.yy) instead of 0.0.0.0/0 in the rules. Now, when I create a compute engine VM instance in Google Cloud Platform and SSH into it, it states that "cannot connect to port 22".
I don't want the port tcp:22 to have ip range 0.0.0.0/0 but only have a single ip as stated above? How can I solve this issue?
The 192.168.x.x is an internal IP address, and in your situation would apply to a VM instance within the same network as the instance you want to connect to.
If you want to connect from outside that network, you'll need to set the source of the firewall rule to the external IP of the instance/machine you want to connect from. You can get your external IP by going to https://whatismyipaddress.com for example.
The firewall rule setting would be something like this:
Direction of traffic: Ingress
Action on match: Allow
Targets: Specified target tags (for example)
Source filter: IP ranges
Source IP ranges: x.x.x.x/32 (your external IP)
If you would not like to have your GCE instance's port 22 open to internet, but you would like to connect to it, I propose you 2 different solutions:
Create a bastion host. This VM is a proxy to access to your GCE instances. You log into the bastion and then you can perform a ssh hop to your GCE instance. Only the bastion host is opened to internet on port 22. And you can start this Bastion VM only when you need to connect to your others GCE instances, that increase the security and decrease the risk of attack on this "backdoor" instance.
For both the bastion and for directly reaching your VM on port 22, you can limit the source IP of your firewall rule to your current IP.
But remember, the IP is not a source of truth.
Our Artifactory is on a different subnet from Jenkins and Octopus. I need to have firewall rules established for this. We use jfrog.exe to push and retrieve the artifacts as it is much faster than the REST API. What is the default port jfrog.exe uses?
Opening ports 80, 443 and 8080 didn't do the trick.
It uses what you have configured it to use.
See here: https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory#CLIforJFrogArtifactory-Configuration
If you are configuring it without a port it will use the protocol default, http : 80, https: 443.
By default Artifactory is running port 8081.
Also, if you are using RSA key to authenticate, you might need to open ssh port to Artifactory (This is not very common)
See here:
https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Artifactory#CLIforJFrogArtifactory-AuthenticatingwithRSAKeys
In general, you should open the port your users are using to access Artifactory.
I have a simple requirement of hosting a webserver on my computer. But unfortunately, the internet connection provided by my employer has only ports 21 & 80 open. Rest of all the ports are closed. I tried port forwarding for ports 80 and 21 but they are already in use by my employer itself. So, is there any other way of hosting a webserver on my computer?
P.S.: I am on linux with Apache.
Does the firewall run an HTTP proxy, or is it just a simple port forwarder? If it's a proxy, it may be able to forward to different internal IPs based on the Host: header, similar to the way virtual web hosts operate.
If not, you won't be able to use these ports. A NAT router can forward a port to only one IP. If hosting the webserver is a job requirement, as you say, you should be able to contact the network administrator and get another port opened for it. If they won't do it on your request, your manager should be able to confirm the requirement.