From b825b2a5b92734113eae6c9c1176ec160ec8776b Mon Sep 17 00:00:00 2001 From: Tomas Olvecky Date: Fri, 31 Jan 2014 15:13:40 +0100 Subject: [PATCH] Change unprotected netconf address from 0.0.0.0 to 127.0.0.1 . Plaintext netconf server was bound to any local interface. This is a security risk because there is no authentication. The ssh server should be used as public endpoint instead. Change-Id: I805ec065548e017dd2244d37e3275d379761e490 Signed-off-by: Tomas Olvecky --- .../src/main/resources/configuration/config.ini | 2 +- .../controller/netconf/util/osgi/NetconfConfigUtil.java | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/opendaylight/distribution/opendaylight/src/main/resources/configuration/config.ini b/opendaylight/distribution/opendaylight/src/main/resources/configuration/config.ini index 47563b94cf..1ddfe1c7f3 100644 --- a/opendaylight/distribution/opendaylight/src/main/resources/configuration/config.ini +++ b/opendaylight/distribution/opendaylight/src/main/resources/configuration/config.ini @@ -13,7 +13,7 @@ osgi.bundles=\ reference\:file\:../lib/jersey-server-1.17.jar@2:start # Netconf startup configuration -netconf.tcp.address=0.0.0.0 +netconf.tcp.address=127.0.0.1 netconf.tcp.port=8383 netconf.tcp.client.address=127.0.0.1 diff --git a/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/osgi/NetconfConfigUtil.java b/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/osgi/NetconfConfigUtil.java index f2f0419b9d..38563cba93 100644 --- a/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/osgi/NetconfConfigUtil.java +++ b/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/osgi/NetconfConfigUtil.java @@ -57,7 +57,12 @@ public class NetconfConfigUtil { if (inetSocketAddressOptional.isPresent() == false) { throw new IllegalStateException("Netconf tcp address not found." + exceptionMessageIfNotFound); } - return inetSocketAddressOptional.get(); + InetSocketAddress inetSocketAddress = inetSocketAddressOptional.get(); + if (inetSocketAddress.getAddress().isAnyLocalAddress()) { + logger.warn("Unprotected netconf TCP address is configured to ANY local address. This is a security risk. " + + "Consider changing {} to 127.0.0.1", PREFIX_PROP + InfixProp.tcp + ADDRESS_SUFFIX_PROP); + } + return inetSocketAddress; } public static Optional extractSSHNetconfAddress(BundleContext context, String exceptionMessage) { -- 2.36.6