tickets #160979: Re: Publicly exposed rsync (provo-downloadcontent.opensuse.org) - openSUSE admin - openSUSE Project Management Tool

Custom queries

Events of the openSUSE Heroes
my assigned stuff
openQA Infrastructure Project
openqa-review - Closed tickets last updated by openqa-review, last 30 days
QA roadmap long-term
QA SLE functional
QA SLE Functional - closed in last 14 days
QA SLE Functional - High, need to be refined
QA SLE Functional - over cycle time median
QA SLE u
QA SLE y
QA tools (tag not necessary in openQA and subprojects)
QA tools tag (tag not necessary in openQA and subprojects; excluding tickets in "Ready" version as they are already on the backlog)
QAC - Backlog
QE tools team - backlog (ready issues)
QE tools team - backlog (w/o infra)
QE tools team - backlog SLA high
QE tools team - backlog SLA immediate
QE tools team - backlog SLA no immediate/urgent in feedback/blocked
QE tools team - backlog SLA normal
QE tools team - backlog SLA urgent
QE tools team - backlog SLO high
QE tools team - backlog SLO normal
QE tools team - backlog SLO urgent
QE tools team - backlog, high-level view (epics and higher)
QE tools team - backlog, non-reactive work, needs parent
QE tools team - backlog, top-level view (all sagas)
QE tools team - closed within last 14 days
QE tools team - closed within last 60 days
QE tools team - closed yesterday
QE Tools Team - Collaborative Session
QE tools team - due date forecast
QE tools team - exceeding due-date
QE tools team - infrastructure backlog
QE tools team - next - sorted by update time
QE tools team - next issues
QE tools team - non-estimated (unblocked) issues (w/o infra)
QE tools team - ready issues - Workable
QE tools team - ready, not assigned/blocked/low
QE tools team - SLO high forecast
QE tools team - update forecast
QE tools team - updated by priority
QE tools team - what members of the team are working on - Feedback (not-low)
QE Tools Team Backlog By Assignee
Tools Team Retrospective
Tools Team Retrospective (not estimated or assigned)

Actions

Copy link

tickets #160979

open

Re: Publicly exposed rsync (provo-downloadcontent.opensuse.org)

Added by bwiedemann@suse.de about 1 month ago. Updated about 1 month ago.

Status:

New

Priority:

Normal

Assignee:

bmwiedemann

Category:

Target version:

Start date:

2024-05-27

Due date:

% Done:

Estimated time:

Description

On 27/05/2024 09.28, cybersecurity SUSE wrote:

Dear Heroes of Opensuse,

Recently, a security finding has been found in opensuse infra, details
of which are given below:

Security Finding:
RSYNC port (873) is found open without authentication controls.
IP : 91.193.113.71 Port: 873

Recommended action:
Default rsync port to be blocked and RSYNC to be used with SSH
authentication.

This is the same machine as provo-mirror.opensuse.org
that is intended to offer public rsync so that mirrors can pull updates
from there.

IMHO it does not make much difference that we expose rsync on these IPs.

Encrypted public rsync transfers might be useful. I see that there is
rsync-ssl rsync://hostname/
using TCP port 874 for that.

Ciao
Bernhard M.

Files

OpenPGP_signature.asc (236 Bytes) OpenPGP_signature.asc

bwiedemann@suse.de, 2024-05-27 11:05

Related issues 1 (0 open — 1 closed)

Is duplicate of openSUSE admin - tickets #160958: Publicly exposed rsync (provo-downloadcontent.opensuse.org)

Resolved

2024-05-27

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by crameleon about 1 month ago

Status changed from New to Closed
Private changed from Yes to No

This was already solved via https://progress.opensuse.org/issues/160958.

Actions

Copy link

Updated by crameleon about 1 month ago

Is duplicate of tickets #160958: Publicly exposed rsync (provo-downloadcontent.opensuse.org) added

Actions

Copy link

Updated by cybersecurity@suse.com about 1 month ago

Status changed from Closed to New

Hello Bernhard,

I agree that it is legist service that is intended to offer public rsync so
that mirrors can pull updates.

IMHO it does not make much difference that we expose rsync on these IPs.

Encrypted public rsync transfers might be useful. I see that there is
rsync-ssl rsync://hostname/
using TCP port 874 for that.

However, like you have also mentioned, it is desirable and recommended from
cybersecurity point to view to have them offered behind ssl. This will
definitely reduce the attack surface area of the public
offering and bolster opensuse security.

Best Regards,
Shiwang

On Mon, May 27, 2024 at 5:04 PM crameleon redmine@opensuse.org wrote:

[openSUSE Tracker]
Issue #160979 has been updated by crameleon.

Is duplicate of tickets #160958: Publicly exposed rsync (
provo-downloadcontent.opensuse.org) added

tickets #160979: Re: Publicly exposed rsync (
provo-downloadcontent.opensuse.org)
https://progress.opensuse.org/issues/160979#change-801761

Author: bwiedemann@suse.de

Status: Closed

Priority: Normal

* Start date: 2024-05-27¶

On 27/05/2024 09.28, cybersecurity SUSE wrote:

Dear Heroes of Opensuse,

Recently, a security finding has been found in opensuse infra, details
of which are given below:

Security Finding:
RSYNC port (873) is found open without authentication controls.
IP : 91.193.113.71 Port: 873

Recommended action:
Default rsync port to be blocked and RSYNC to be used with SSH
authentication.

This is the same machine as provo-mirror.opensuse.org
that is intended to offer public rsync so that mirrors can pull updates
from there.

IMHO it does not make much difference that we expose rsync on these IPs.

Encrypted public rsync transfers might be useful. I see that there is
rsync-ssl rsync://hostname/
using TCP port 874 for that.

Ciao
Bernhard M.

---Files--------------------------------
OpenPGP_signature.asc (236 Bytes)

--
You have received this notification because you either subscribed to or
are involved in this discussion.
To change your notification preferences, please visit
https://progress.opensuse.org/my/account.

Actions

Copy link

Updated by crameleon about 1 month ago

Assignee set to bmwiedemann

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

openSUSE admin

Tags

Custom queries

tickets #160979

Re: Publicly exposed rsync (provo-downloadcontent.opensuse.org)

Updated by crameleon about 1 month ago

Updated by crameleon about 1 month ago

Updated by cybersecurity@suse.com about 1 month ago

* Start date: 2024-05-27¶

Updated by crameleon about 1 month ago