Question

Droplet remains open to internet even after ufw default deny

Posted April 27, 2021 99 views
Firewall

I have Droplet A and Droplet B running Django and Redis respectively. They’re both on a VPC, and have public, and private ip addresses.

Below is my redis docker-compose. I’m trying to map the container redis port, to the host port, so I can connect to it via the VPC.

redis:
    restart: always
    image: redis
    command: ["redis-server", "--appendonly", "yes"]
    volumes:
        - redis_data:/data
    ports:
        - 6379:6379

On Django - also connected to the VPC, I am connecting to redis this way:

CACHES = {
    "default": {
        "BACKEND": "django_redis.cache.RedisCache",
        "LOCATION": "redis://private_ip:6379",
        "OPTIONS": {
            "CLIENT_CLASS": "django_redis.client.DefaultClient",
        },
    }
}

This works - I am able to interact with my redis droplet. However I suspected that ports: 6379:6379 may in fact open the redis droplet up to internet, and sure enough, if I try to connect via the public IP address, this works also. Even if I type in the public IP address of the droplet into a browser, like this: public_ip:6379, my redis installation detects it as a potential security threat - somehow the request gets through. How am I to block all http/public requests to the redis droplet and only allow traffic via private ip on the VPC?

The below redis connection works and I don’t think it should:

CACHES = {
    "default": {
        "BACKEND": "django_redis.cache.RedisCache",
        "LOCATION": "redis://public_ip:6379",
        "OPTIONS": {
            "CLIENT_CLASS": "django_redis.client.DefaultClient",
        },
    }
}

On Droplet B (redis), this is the readout from UFW. I’ve tried to configure it to only allow traffic from the VPC Subnet and SSH.

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    Anywhere                  
Anywhere                   ALLOW IN    10.122.0.4                
Anywhere                   ALLOW IN    10.122.0.0/20             
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)      

Below is the error message I get on my redis droplet if I type its public address and port into chrome. public_ip:6379


It looks like somebody is sending POST or Host: commands to Redis. This is likely due to an attacker attempting to use Cross Protocol Scripting to compromise your Redis instance. Connection aborted.

Not only that, but connecting to the redis droplet via the public IP address actually works? How can I configure my UFW correctly?

Submit an answer

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!