clearml-server icon indicating copy to clipboard operation
clearml-server copied to clipboard

Published 20 hours ago verified publisher icon allegroai

Security vulnerability with default setup

Open Deams51 opened this issue 4 years ago • 1 comments

The current setup guide for Linux (here) is unsafe. It's not your role to take care of the server's security, but what do you think about adding a comment at the end about it?

After just a week, one of our servers got infected by the kinsing malware, a cryptocurrency miner. The issue has been documented here

It could be avoided easily by for example setting up the firewall on the server to prevent access to the redis instance:

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow 8080
sudo ufw allow 8081
sudo ufw allow 8008
sudo ufw enable

Deams51 avatar Jun 03 '20 16:06 Deams51

Thanks @Deams51 ! That is a great idea, and I think it relates to more than just the Linux install, I guess it would apply to any AMI/GCP image as well (i.e. firewall setup).

Maybe we should have a short document like "Securing your Trains-Server" with the suggested firewall configuration section, and maybe a link to the "Web login authentication" instructions etc.

What do you think? Any chance you would start it with a quick PR?

bmartinn avatar Jun 03 '20 23:06 bmartinn