Limiting access to xo-lite to a specific IP address or ssubnet
-
Hello, everyone.
I have just come across this discussion on Reddit https://www.reddit.com/r/xcpng/comments/1m9jz2h/83_without_xo_lite/
The moment I read it I thought whether there may be a workaround to limit access to xo-lite to only a specific IP address or a range thereof or a subnet?
Thanks
-
I'm not aware of such workaround. The usual best practices:
- The host shouldn't be exposed publicly, XOA can do that and act as a "proxy"
- You can indeed disable XO Lite, it makes sense in the case you want to also disable SSH
I'm adding @Team-OS-Platform-Release in the conversation to see if there's a way to do that, but I'm afraid it's only possible with a custom iptables rules
-
@olivierlambert Thank you for replying. Here we get a wider question - is there a built-in firewall in XCP-NG? I don't see any signs of netfilter, iptables, ufw etc. presence on XCP-NG host. So, it may be very helpful if you shed some light on this matter.
I also don't understand how disabling xo-lite may be related to disabling SSH.
@olivierlambert said in Limiting access to xo-lite to a specific IP address or ssubnet:
You can indeed disable XO Lite, it makes sense in the case you want to also disable SSH
SSH is way easier to protect by enforcing private key authentication, while xo-lite may be just a target for brute-forcing. So, yes, what makes sense is that we limit what ports are exposed and who can access them.
-
Of course there's a firewall, but Dom0 still not meant to be exposed outside an internal management network. So the best practice is isolating the management network, that's your first layer of defense.
In case you want to reduce the attack surface of the next layers, I suggested to disable both SSH and XO Lite, making it a true appliance with only XAPI as opened service. It's not technically connected, just functionally reducing the attack surface inside an already trusted network (if you want to get there).
About iptables, there's
/etc/sysconfig/iptablesbut I'm not sure it's the right place to put manual modification, that's why I pinged the @Team-OS-Platform-Release -
Without changing iptables rules (that's not very flexible and could conflict with XAPI's handling of the rules), there's a way to disable the webserver.
https://docs.xcp-ng.org/management/manage-locally/xo-lite/#disabling-xo-lite
-
This changes nothing regarding brute-forcing. XAPI still listens to RPC requests on port 443.
-
@olivierlambert said in Limiting access to xo-lite to a specific IP address or ssubnet:
About iptables, there's /etc/sysconfig/iptables but I'm not sure it's the right place to put manual modification, that's why I pinged the @Team-OS-Platform-Release
In a way that's the right place, but one needs to be careful with modifications there.
