4

We're using MAAS to manage our cluster. Nessus complains that our MAAS region controller is insecure, because it exposes iSCSI targets on its public IP without authentication. Here's what Nessus says:

3260/tcp
51368 - iSCSI Unauthenticated Target Detection

The following iSCSI targets allow unauthenticated access :

-iqn.2004-05.com.ubuntu:maas:ephemeral-ubuntu-amd64-hwe-x-xenial-release
-iqn.2004-05.com.ubuntu:maas:ephemeral-ubuntu-amd64-hwe-x-trusty-release
...

Is there a way to disable iSCSI support (I believe we don't use it) or protect these targets? Another option would be to have them listen on the master's internal IP only, rather than the public one. This would make them visible to the cluster machines, but invisible to the public.

Sjlver
  • 180

2 Answers2

3

MAAS uses the ISCSI targets for ephemeral Ubuntu booting. Ephemeral Ubuntu booting is done when a machine is being enlisted, commissioned, deployed, and disk erased. Removing these targets will cause MAAS to break and prevent machine deployment.

You can either modify tgt to listen only on the IP address that machines use to talk to MAAS or block tgt ports on your public interface with iptables.

Blake R
  • 431
  • 2
  • 6
  • 1
    Thanks. For reference, here's the firewall rule I added: ufw allow from 10.0.0.1/16 port 3260 proto tcp; ufw deny 3260/tcp. UFW evaluates rules in order, so that this should allow anybody on the internal network to access the targets, but block everybody else. – Sjlver Nov 29 '16 at 15:30
0

the targetcli command will give you a text based gui that makes it really easy to create, restart, update and delete iscsi targets.

to install it 

sudo apt-get install targetcli

to run it 

sudo targetcli
  • type ls to see what targets you have defined.
  • type cd to move up and down the tree
  • type delete PATH to delete objects in the PATH or omit PATH to delete all at current level.
  • type help to see a list of commands
  • type exit to exit
Amias
  • 5,246
  • Thanks! This probably allows me to remove the targets. I was hoping for a more MAAS-specific answer. In particular, I wonder if MAAS would stop working if I simply remove these targets? – Sjlver Nov 23 '16 at 17:15
  • This is interesting, but it won't work for MAAS, since MAAS will rewrite the target configuration periodically. – mpontillo Nov 29 '16 at 17:35