Risk Level: High
Description:
This plugin determines if TCP port 7001 for Cassandra is open to the public. Also, it consists of valid steps or measures to be taken to avoid unhealthy vulnerability to all IP addresses ranges i.e. 0.0.0.0/0. While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services should be restricted to known IP addresses.
About the Service :
DigitalOcean Firewall:
DigitalOcean Cloud Firewalls are an organization-based, stateful firewall administration for Droplets given at no extra expense. Cloud firewalls block all traffic that isn't explicitly allowed by a standard. Firewalls place an obstruction between your servers and different machines in the organization to safeguard them from outer assaults. Firewalls can behave based, which are designed on a for every waiter premise utilizing administrations like IPTables or UFW. Others, such as DigitalOcean Cloud Firewalls, are network-based and stop traffic at the organization layer before it arrives at the server.
Impact :
Cassandra gives clients and ventures a straightforward organization interaction to rapidly introduce a Cassandra bunch in a solitary locale across various zones. Each group additionally incorporates a virtual machine that gives a total arrangement of improvement assets including code models, docs, and information joining instruments. Alternatively, DataStax Luna additionally gives membership-based help to open-source Cassandra. DataStax Luna endorsers get the advantages of open-source programming, with direct admittance to driving Cassandra contributors. This module decides or in similar terms to be said that, this plugin guarantees whether TCP port 7001 for Cassandra is available to people in general. Additionally, it comprises substantial advances or measures to be taken to stay away from undesirable weakness to all IP tends to ranges for example 0.0.0.0/0. While a few ports, for example, HTTP and HTTPS are needed to be available to general society to work appropriately, more delicate administrations, for example, Cassandra ought to be confined to realized IP addresses.
Steps to Reproduce :
- Login to the digital ocean console.
- Select Networking under the MANAGE section.
- Switch to the Firewalls tab.
- Select a firewall from the given lists.
- Check under Inbound Rules and/or Outbound Rules, if the Type is set to All TCP/custom, Protocol as TCP and Port Range includes either All ports or port 7001, visit the Steps for Remediation section.
- Repeat the process for other firewalls with open cassandras as well.
Steps for Remediation :
- Login to the digital ocean console.
- Select Networking under the MANAGE section.
- Switch to the Firewalls tab.
- Select a firewall from the given lists.
- Check under Inbound Rules and/or Outbound Rules, if the Type is set to All TCP/custom, Protocol as TCP and Port Range includes either All ports or port 7001, we will have to change the source and destination for the port to enhance security.
- Select the rule in which port 7001 is open to all source or destination by clicking on More, click on Edit Rule.
- Under Sources remove All IPv4 and All IPv6 options, add the eligible source (in Inbound Rules) / destination (in Outbound Rules) IP address and click on Save.
- Repeat the process for other open cassandras as well.