Fuel is terribly insecure out of the box; the root password is r00tme, and all of its network services are exposed to the whole world - including the dashboard, which requires no authentication at all. This article details the ways in which we’ve remedied this, on both the MRI hardware and our local test setup.

iptables

We’ve adjusted the iptables configuration such that all incoming traffic on the externally facing NIC is blocked unless:

  • It is related to an existing connection (e.g. response to an http request we’ve initiated)
  • It’s tcp traffic coming in on the ssh port.

The diff is below. Note that this assumes eth1 is the external nic.

--- iptables.orig	2014-01-10 19:26:47.225178231 +0000
+++ iptables	2014-01-10 19:32:32.834177546 +0000
@@ -11,6 +11,9 @@
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
+-A INPUT -m comment --comment "002 accept related established rules" -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -i eth1 -m state --state NEW -j DROP
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT 
 -A INPUT -p udp -m multiport --ports 514 -m comment --comment "514 udp rsyslog" -j ACCEPT 
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
@@ -25,10 +28,8 @@
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
 -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT 
 -A INPUT -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT 
--A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT 
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 8000 -j ACCEPT 
--A INPUT -m comment --comment "002 accept related established rules" -m state --state RELATED,ESTABLISHED -j ACCEPT 
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 61613 -j ACCEPT 
 COMMIT
 # Completed on Thu Jan  9 23:36:12 2014

The MRI hardware has a few additional rules which are redundant. TODO: we should clean these up.

root password

We’ve changed the root password to our usual.