tickets #160979
openRe: Publicly exposed rsync (provo-downloadcontent.opensuse.org)
0%
Description
On 27/05/2024 09.28, cybersecurity SUSE wrote:
Dear Heroes of Opensuse,
Recently, a security finding has been found in opensuse infra, details
of which are given below:Security Finding:
RSYNC port (873) is found open without authentication controls.
IP : 91.193.113.71 Port: 873Recommended action:
Default rsync port to be blocked and RSYNC to be used with SSH
authentication.
This is the same machine as provo-mirror.opensuse.org
that is intended to offer public rsync so that mirrors can pull updates
from there.
IMHO it does not make much difference that we expose rsync on these IPs.
Encrypted public rsync transfers might be useful. I see that there is
rsync-ssl rsync://hostname/
using TCP port 874 for that.
Ciao
Bernhard M.
Files
Updated by crameleon about 1 month ago
- Status changed from New to Closed
- Private changed from Yes to No
This was already solved via https://progress.opensuse.org/issues/160958.
Updated by crameleon about 1 month ago
- Is duplicate of tickets #160958: Publicly exposed rsync (provo-downloadcontent.opensuse.org) added
Updated by cybersecurity@suse.com about 1 month ago
- Status changed from Closed to New
Hello Bernhard,
I agree that it is legist service that is intended to offer public rsync so
that mirrors can pull updates.
IMHO it does not make much difference that we expose rsync on these IPs.
Encrypted public rsync transfers might be useful. I see that there is
rsync-ssl rsync://hostname/
using TCP port 874 for that.
However, like you have also mentioned, it is desirable and recommended from
cybersecurity point to view to have them offered behind ssl. This will
definitely reduce the attack surface area of the public
offering and bolster opensuse security.
Best Regards,
Shiwang
On Mon, May 27, 2024 at 5:04 PM crameleon redmine@opensuse.org wrote:
[openSUSE Tracker]
Issue #160979 has been updated by crameleon.Is duplicate of tickets #160958: Publicly exposed rsync (
provo-downloadcontent.opensuse.org) added
tickets #160979: Re: Publicly exposed rsync (
provo-downloadcontent.opensuse.org)
https://progress.opensuse.org/issues/160979#change-801761
- Author: bwiedemann@suse.de
- Status: Closed
- Priority: Normal
* Start date: 2024-05-27¶
On 27/05/2024 09.28, cybersecurity SUSE wrote:
Dear Heroes of Opensuse,
Recently, a security finding has been found in opensuse infra, details
of which are given below:Security Finding:
RSYNC port (873) is found open without authentication controls.
IP : 91.193.113.71 Port: 873Recommended action:
Default rsync port to be blocked and RSYNC to be used with SSH
authentication.This is the same machine as provo-mirror.opensuse.org
that is intended to offer public rsync so that mirrors can pull updates
from there.IMHO it does not make much difference that we expose rsync on these IPs.
Encrypted public rsync transfers might be useful. I see that there is
rsync-ssl rsync://hostname/
using TCP port 874 for that.Ciao
Bernhard M.---Files--------------------------------
OpenPGP_signature.asc (236 Bytes)--
You have received this notification because you either subscribed to or
are involved in this discussion.
To change your notification preferences, please visit
https://progress.opensuse.org/my/account.