Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default ports should be avoided #2

Open
akondasif opened this issue Jul 4, 2020 · 0 comments
Open

Default ports should be avoided #2

akondasif opened this issue Jul 4, 2020 · 0 comments

Comments

@akondasif
Copy link

Greetings,

We are security researchers and we are looking for insecure coding patterns and configurations in the microservice architecture repositories. In your repository, we have found instances of default port and HTTP without TLS usage.

According to a recent report default port usages must be avoided: https://www.bleepingcomputer.com/news/security/most-cyber-attacks-focus-on-just-three-tcp-ports/#:~:text=According%20to%20the%20report%2C%20the,(Hypertext%20Transfer%20Protocol%20Secure).

Source: https://github.com/lbroudoux/cheese-quizz/blob/master/kafka-docker-compose.yml

Fix: #1

I am interested to know if you agree with the findings. Any feedback is appreciated.

Further details on default ports:

Data storage,  MySQL 3306, reff: https://dev.mysql.com/doc/mysql-port-reference/en/mysql-ports-reference-tables.html
Data storage,  Postgres 5432, reff: https://www.postgresql.org/docs/8.3/app-postgres.html 
Data storage,  MongoDB 27017, reff: https://docs.mongodb.com/manual/reference/default-mongodb-port/
Data transfer, rabbitMQ 5672, reff: https://www.rabbitmq.com/networking.html
Data transfer, Kafka 9092, reff: https://kafka.apache.org/07/documentation.html
Data transfer, HTTP, http 80 , 443 , reff: https://geekflare.com/default-port-numbers/  
Data storage,  Zookeeper 2181, reff: https://zookeeper.apache.org/doc/r3.1.2/zookeeperStarted.html
Monitoring,    zipkin 9411    , reff: https://zipkin.io/pages/extensions_choices
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant