1

I'm running a docker container in Kubernetes cluster running in aws, I exposed the container through LoadBalancer service and limited access to it just to my ip address using aws security groups, but I still getting GET/POST requests that seems brute forcing the endpoints of the application.

Illustration: enter image description here

My question is how is this possible even I limited access just to my ip address? and how I could mitigate this issue?

Sadmi
  • 153
  • 6
  • 1
    You are sure the security group is really applied? – ThoriumBR Feb 16 '21 at 18:05
  • I just found that the LoadBalancer belongs to a security group that allows access to port 80, I suspect this was the reason so I changed the security group to masters security group to which I applied the restriction, I'm watching to see if that the reason. – Sadmi Feb 16 '21 at 18:09
  • You don't need to wait: use a proxy and try to access your endpoint. – ThoriumBR Feb 16 '21 at 18:13
  • You mean something like Traefik? – Sadmi Feb 16 '21 at 18:15
  • No, something like "Google free proxy list", define one as your proxy and try to access the endpoint. – ThoriumBR Feb 16 '21 at 20:55

2 Answers2

1

I figured out the issue and I want to share my case.

When creating a service that exposes a pod as a LoadBalancer, aws creates a security group for this LoadBalancer and as the port exposed by my container was 80 so the security group allows requests from anywhere to this port, so I changed the security group.

as a takeaway, it's better to avoid using port 80 if possible as this is always targeted since it's the default http port.

Sadmi
  • 153
  • 6
0

These requests are coming from your private network, not from the public internet.

172.20.76.173 is part of the 172.16.0.0/12 subnet, which is dedicated for private networks. See https://en.wikipedia.org/wiki/Private_network for more info.

Is it possible that the security policy that you created is only applied to the public interface, and not the private interface?

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • I'm invoking the web-service from my local machine and it shows local address, I think it's showing the address from where it's invoked in k8s cluster, these addresses are very near to the local addresses of the nodes – Sadmi Feb 16 '21 at 18:14
  • 1
    yeah in most k8s environments there'll be at least one reverse proxy in the mix somewhere, so the IP address that shows in the container will not be the real client address. At at guess that address is the address of the reverse proxy server (a.k.a ingress) – Rory McCune Feb 16 '21 at 20:02