Nethserver console web ui reachable from public IP

Hello,

forgive the newbie question, but I’m afraid that I have a security hole.

I have a basic config as a firewall on a single WAN.
The eth WAN get the public IP from my modem in bridge.
The public IP is retrieved in DHCP from my ISP (IPoE).

Now if i open in the browser my public IP 2.XX.XX.XX:9090 the Nethserver console web is opened ad i can access on it.

it is a behavior that I did not expect.
As a basic rule, shouldn’t all incoming ports be closed by the firewall?

My expectation was to “enable Port Forward” also for the applications installed on the host nethserver (also for nethserver web UI).

For the moment i have configured the modem “as a router” and not as a bridge to avoid this behavior.

Not to the server itself. If you don’t want the server manager to be accessible on the Red (WAN) interface, turn off that option:
image

1 Like

Thanks Dan

It’s already turned off.

I never had enable this option…
i am pretty sure because if i try to turn on, it request me from which IP it’s enabled -> “Allowed ips (one per line)”.

I assume it only works from internal LAN to access the server manager via public IP.
Please try a web port scan or try to access from outside LAN (i.e. mobile phone).

Sorry guys i have leaved my house for security concern about covid…

i will update you asap…

come back…

You have right Markus…
behind the firewall (inside nethserver lan) i am able to access to the console http://10.10.10.10:9090/ but from outside network http://192.168.1.10:9090/ i am not able .

The curious think is that at port 80 i am able to access to the welcome nethserver page from outside nethwork.
Same thing if i connect my modem in bridge at WAN port of my nethserver gateway.

Do you know how i can hide it? There are other port opened to outside?

Proposing for have a prop/switch to enable/disable the publish of this information on the screen.

That’s called "create index.html".

1 Like

For other noobs like me… to avoid this kind of unexpected access you need to go at SERVICE section and remove RED zone from the service that you would not expose.

In this case httpd (and httpd-admin) is the related service of webserver that show this page at port 80 or 443.

Not all service are blocked from outside connection in a clean installation (as per my expectation)… please review SERVICE and in case remove all RED zone to avoid public/external access for specific port/service.

I am pretty sure that whit little adjustment on nethserver docs this system can be used whit success also from user whit low networks knowledge.
I thinks that for small company and nethserver can be great businesses case.

1 Like

Port 80 and 443 if i am not wrong could be mandatory for obtaining certificates by let’sencrypt.

Correct, though it could be configured in such a way that it only responds to queries under /.well-known/acme-challenge. Or you could use DNS validation, which is now semi-implemented, and doesn’t require any ports to be open. But I suspect what’s going on is just an assumption that if you want a web server, you probably want it to be public, so that’s the default–and it can be easily changed if desired.