Security issue with Redis on openBalena deployment


#1

I have started my experiments with openBalena on DigitalOcean droplet
and today I have received notification from DigitalOcean that
scan by ShadowServer Foundation shows unsecure Redis configuration
that might lead to local access to my droplet.

Is openBalena Docker deployment using Internet facing redis?
Are you aware of potential issue in detail?

Would you agree that openBalena hosted on Ubuntu requires only tcp/443 towards Internet as API, Docker registry and OpenVPN goes only on https port?

Thank you


#2

Hi @mko

Yes, an openBalena deployment only needs port 443 for the API, Registry, and VPN to be exposed on the internet so you can safely firewall the rest of the services. The redis instance we use in our cloud deployment is similarly isolated at the network level from the rest of the internet.