-
Important Announcement for The TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Port 6000/tcp open X11 - it is intended? Any security problems due this?
- Thread starter Perm1990
- Start date
Chris Moore
Hall of Famer
- Joined
- May 2, 2015
- Messages
- 10,080
This is something that would need to be submitted as a bug report / feature request. It is not modifiable from the FreeNAS web GUI and you can't be certain that any change not made from the GUI will be persistent across reboots.
Since there is no X server running on the FreeNAS system, I would say it is a false positive, but there could easily be some vulnerability I am not aware of.
Since there is no X server running on the FreeNAS system, I would say it is a false positive, but there could easily be some vulnerability I am not aware of.
Jailer
Not strong, but bad
- Joined
- Sep 12, 2014
- Messages
- 4,977
Curious, scanned with what?
Chris Moore
Hall of Famer
- Joined
- May 2, 2015
- Messages
- 10,080
Fair question. I should have asked.
- Joined
- May 17, 2014
- Messages
- 3,611
In someways, the best scan is internal. On Linux, that is;
This will list internals as well, (meaning listening on the loopback network interface). Those may not be a security issue...
For example, after I rebuilt my Cloud VM, I found this stupid avhi thing loaded. Completely in-appropriate for a sever. So I disabled and removed it's packages.
netstat --listen -n | grep -v ^unixThis will list internals as well, (meaning listening on the loopback network interface). Those may not be a security issue...
For example, after I rebuilt my Cloud VM, I found this stupid avhi thing loaded. Completely in-appropriate for a sever. So I disabled and removed it's packages.
Port 6000 is for the TrueNAS High-Availability (HA)[1] of ixsystems. Behind Port 6000 an NGINX http Server and Python is running. Someone wanted to fix this with Bug 28031 [2] and Fix [3]. ixsystems rejected the fix. I would expect to open the port only when HA is configured. Additionally SSL-Client certs could secure this communication.
A manual solution to close the port, unfortunately you have to repeat it after each update:
find / -name main.py
==> In FreeNAS-11.2-U2.1 it is /usr/local/lib/python3.6/site-packages/middlewared/main.py
Edit with vi and search for 0.0.0.0. The request is a bit different from the old patch:
Current:
web.TCPSite(runner, '0.0.0.0', 6000, reuse_address=True, reuse_port=True).start()
Change to
web.TCPSite(runner, '127.0.0.1', 6000, reuse_address=True, reuse_port=True).start()
Save, Reboot, Port is closed now, done.
[1] https://www.ixsystems.com/blog/truenas-high-availability-ha-explained/#
[2] https://redmine.ixsystems.com/issues/28031
[3] https://github.com/freenas/freenas/pull/740/files
A manual solution to close the port, unfortunately you have to repeat it after each update:
find / -name main.py
==> In FreeNAS-11.2-U2.1 it is /usr/local/lib/python3.6/site-packages/middlewared/main.py
Edit with vi and search for 0.0.0.0. The request is a bit different from the old patch:
Current:
web.TCPSite(runner, '0.0.0.0', 6000, reuse_address=True, reuse_port=True).start()
Change to
web.TCPSite(runner, '127.0.0.1', 6000, reuse_address=True, reuse_port=True).start()
Save, Reboot, Port is closed now, done.
[1] https://www.ixsystems.com/blog/truenas-high-availability-ha-explained/#
[2] https://redmine.ixsystems.com/issues/28031
[3] https://github.com/freenas/freenas/pull/740/files
xf01213 I am with you on this - ports should only be open if they are necessary and being used. For me this is basic security 101!
I scanned my new server with nmap to check and see that only the ports I expected to be open were open. 6000/tcp was unexpected!
If it is for HA on TrueNAS it should only be opened when HA is enabled.
I scanned my new server with nmap to check and see that only the ports I expected to be open were open. 6000/tcp was unexpected!
If it is for HA on TrueNAS it should only be opened when HA is enabled.
Chris Moore
Hall of Famer
- Joined
- May 2, 2015
- Messages
- 10,080
There are a couple of things you must understand, first is that FreeNAS is intended to exist on a protected network. If your network in not secure, that is a problem outside the scope of FreeNAS. The second thing to understand is that FreeNAS is used as a development platform where new things are created and tested before they are moved up to the commercial product. They develop everything in FreeNAS to be compatible with TrueNAS.
Finally, FreeNAS is a gift, please don't criticize it too much.
JulianRenz
Cadet
- Joined
- Dec 11, 2019
- Messages
- 2
Hi Chris, thank you for your answer. I specifically joined the forums to anwer to this post (Hi everybody, btw)
While I appreciate your answer, I must object to "FreeNAS is intended to exist on a protected network". There is no such a thing, I'm afraid even though we all wish there was. There are security incidents left and right as we speak and a lot of them could be mitigated by keeping the attack surface of certain services to a minimum.
Going with that spirit, we all should be encouraged to only open listening ports when they are 100% needed (even more when the underlying code, that is listening, is closed-source and nobody outside of iXsystems knows, can audit it). Since the HA feature is not present on FreeNAS (and cannot be for good reasons), the port should really be closed on FreeNAS (or even more secure: be cloesd on TrueNAS as well when the HA feature is not being used).
How this can be done to work with TrueNAS, I dont know (listening on 127.0.0.1 helps only for FreeNAS users I guess, since you propably want to connect to other TrueNAS servers on different machines - thats the whole point of HA, right?)
Another solution for FreeNAS users would be to add a firewall rule from within the FreeNAS shell like so:
sudo ipfw add 1000 deny all from any to me 6000, which possibly must be done after each rebootPlease don't get me wrong, I appreciate what iXsystems does for the community by open-sourcing FreeNAS, but the requirement to only "exist on a protected network" is just impossible to fullfill and we all should strive for systems, that are as hardened as possible.
Thanks a lot - I'm looking forward to your answer.
Cheers Julian
JulianRenz
Cadet
- Joined
- Dec 11, 2019
- Messages
- 2
since I dont know if pot 6000 is used internally, adding
sudo ipfw add 999 allow ip from me to me 6000 just to be sureFYI @JulianRenz that solution seems to prevent the FreeNAS GUI from working even in a non-HA setup. It seems to just be talking to itself on that port over the loopback, so the following rules would work:
Code:
ipfw add 999 allow all from any to any via lo0 ipfw add 1000 deny all from any to me 6000
GrandpaRick
Cadet
- Joined
- Apr 29, 2019
- Messages
- 3
Just a quick follow up to @FFF explaining how I made the rules survive reboots and they should survive updates (I haven't tested this yet).
1) Add two tunables under System > Tunables
2) From a terminal, run
Your rules should look the same
1) Add two tunables under System > Tunables
| Variable | Value | Type |
| firewall_enable | YES | rc |
| firewall_type | /data/ipfw.fules | rc |
2) From a terminal, run
Code:
root@dozer[~]# echo "add 02000 deny ip from any to me 6000" > /data/ipfw.rules root@dozer[~]# /etc/rc.d/ipfw start root@dozer[~]# ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any icmp6types 1 01000 allow ipv6-icmp from any to any icmp6types 2,135,136 02000 deny ip from any to me 6000 65535 allow ip from any to any
Your rules should look the same
@GrandpaRick Thanks for that solution. So far it works and it shows port 6000 as "filtered" in nmap.
I followed your instructions but used "/data/ipfw.rules" instead of "/data/ipfw.fules" with "firewall_type"
I followed your instructions but used "/data/ipfw.rules" instead of "/data/ipfw.fules" with "firewall_type"
This didn't work for me. I ended up performing all of those steps, but also ended up creating a post-init script in the FreeNAS web GUI which starts the ipfw service after 15 seconds, and this does work.
Code:
sleep 15; service ipfw start
I did this too
