Adding web env security group induces security flaw in single instance environments #5
Description
Again, thanks for this great tool.
Environment settings:
- Platform: Python 3.7 running on 64bit Amazon Linux 2/3.1.4
- Web server: nginx (default in AL2)
Today I was checking my worker environment logs and in the nginx access logs I found some request that were made by external agents (not coming from sqs daemon process in localhost).
Show logs
----------------------------------------
/var/log/nginx/access.log
----------------------------------------
58.97.229.90 - - [29/Dec/2020:23:57:20 +0000] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7" "-"
127.0.0.1 - - [30/Dec/2020:00:15:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
127.0.0.1 - - [30/Dec/2020:00:30:05 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
139.162.119.197 - - [30/Dec/2020:00:34:18 +0000] "GET / HTTP/1.1" 302 0 "-" "HTTP Banner Detection (https://security.ipip.net)" "-"
127.0.0.1 - - [30/Dec/2020:00:45:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
91.199.118.137 - - [30/Dec/2020:01:08:25 +0000] "CONNECT cdn.jsdelivr.net:443 HTTP/1.1" 400 157 "-" "-" "-"
91.199.118.137 - - [30/Dec/2020:01:08:26 +0000] "CONNECT cdn.jsdelivr.net:443 HTTP/1.1" 400 157 "-" "-" "-"
127.0.0.1 - - [30/Dec/2020:01:15:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
127.0.0.1 - - [30/Dec/2020:01:45:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
188.166.64.74 - - [30/Dec/2020:01:59:15 +0000] "POST /boaform/admin/formLogin HTTP/1.1" 404 179 "http://35.166.105.105:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0" "-"
188.166.64.74 - - [30/Dec/2020:01:59:16 +0000] "" 400 0 "-" "-" "-"
127.0.0.1 - - [30/Dec/2020:02:15:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
92.126.230.58 - - [30/Dec/2020:02:42:24 +0000] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" "-"
127.0.0.1 - - [30/Dec/2020:02:45:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
127.0.0.1 - - [30/Dec/2020:03:15:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
127.0.0.1 - - [30/Dec/2020:03:45:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
85.99.129.150 - - [30/Dec/2020:04:11:51 +0000] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36" "-"
127.0.0.1 - - [30/Dec/2020:04:15:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
127.0.0.1 - - [30/Dec/2020:04:45:00 +0000] "POST /sqs/ HTTP/1.1" 200 2 "-" "aws-sqsd/3.0.3" "-"
209.17.96.66 - - [30/Dec/2020:04:45:25 +0000] "GET / HTTP/1.0" 302 0 "-" "Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; http://cloudsystemnetworks.com)" "-"
83.97.20.31 - - [30/Dec/2020:04:53:35 +0000] "GET / HTTP/1.0" 302 0 "-" "-" "-"
83.97.20.31 - - [30/Dec/2020:04:53:37 +0000] "GET /admin/ HTTP/1.0" 302 0 "-" "-" "-"
83.97.20.31 - - [30/Dec/2020:04:53:40 +0000] "GET /admin/login/?next=/admin/ HTTP/1.0" 200 2194 "-" "-" "-"
167.248.133.40 - - [30/Dec/2020:05:14:27 +0000] "GET / HTTP/1.1" 302 0 "-" "-" "-"
167.248.133.40 - - [30/Dec/2020:05:14:28 +0000] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "-"
167.248.133.40 - - [30/Dec/2020:05:14:28 +0000] "GET /admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "-"
167.248.133.40 - - [30/Dec/2020:05:14:28 +0000] "GET /admin/login/ HTTP/1.1" 200 2181 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" "-"
196.52.43.64 - - [30/Dec/2020:05:44:20 +0000] "GET / HTTP/1.1" 302 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3602.2 Safari/537.36" "-"
196.52.43.64 - - [30/Dec/2020:05:44:21 +0000] "GET /admin/ HTTP/1.1" 302 0 "http://35.166.105.105:80/" "Go http package" "-"
196.52.43.64 - - [30/Dec/2020:05:44:21 +0000] "GET /admin/login/?next=/admin/ HTTP/1.1" 200 2194 "http://35.166.105.105:80/admin/" "Go http package" "-"
185.239.242.162 - - [30/Dec/2020:06:12:24 +0000] "GET / HTTP/1.1" 302 0 "-" "Linux Gnu (cow)" "-"
134.122.7.61 - - [30/Dec/2020:06:40:35 +0000] "GET /config/getuser?index=0 HTTP/1.1" 404 179 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" "-"
167.99.164.114 - - [30/Dec/2020:07:18:20 +0000] "\x16\x03\x01\x01\xFD\x01\x00\x01\xF9\x03\x03\xB5\x1DUX.\x15\xF7L\xAC\x07\x5C\xA0|\x06J9\xBD\xF9&\xC6\xD9\xF9RL\xF7\xD0\x9Bk\xCF\x84O\xA0\x00\x01<\xCC\x14\xCC\x13\xCC\x15\xC00\xC0,\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-" "-"
After debugging I realized that this security problem is caused due to the security group I added to the worker environment (I made this on purpose to have access to the web env database - check this).
When you add a security group to an EC2 instance, the inbound rules that comes with it will be included as well. If your environment is a single instance environment (i.e. no load balancer involved) the security group of the web environment instance will contain the following inbound rule:
80 | TCP | 0.0.0.0/0
If you use that same security group for your worker, then everyone will be able to access it.
Note that in the case of a high availability environment (i.e. with load balancer), the inbound rule will limit traffic to the load balancer only, so in that scenario we won't have this security flaw.
I haven't tried this yet, but I think a better approach to the one described here is to edit the inbound rules of the RDS DB security group and add an entry for the worker instance security group. By doing that the database should accept connections from both environments and the worker should remain private always.