public
/
pyceo
27
1
Fork 3
Code Issues 25 Pull Requests 5 Projects Releases 1 Wiki Activity

Allow TCP port forwarding to cloud VMs #107

New Issue
Open
opened 2023-10-19 08:04:10 -04:00 by merenber · 4 comments
merenber commented 2023-10-19 08:04:10 -04:00
Owner
Copy Link

We have some firewall port exemptions on the public cloud IP address. We should use the NGINX stream module to forward TCP connections to cloud VMs.

IMPORTANT: we still need to comply with the university's security policies. In particular, this means that SSH, SMTP(S), and IMAP(S) are banned because we cannot enforce 2FA on those. So we will need some kind of periodic port scanner which checks if one of these services is running, and if so, disables the port forwarding, and also temporarily bans the user from creating any new port forwardings until they send an email to syscom.

We have some firewall port exemptions on the public cloud IP address. We should use the NGINX stream module to forward TCP connections to cloud VMs. **IMPORTANT**: we still need to comply with the university's security policies. In particular, this means that SSH, SMTP(S), and IMAP(S) are banned because we cannot enforce 2FA on those. So we will need some kind of periodic port scanner which checks if one of these services is running, and if so, disables the port forwarding, and also temporarily bans the user from creating any new port forwardings until they send an email to syscom.
merenber commented 2023-10-19 08:28:01 -04:00
Author
Owner
Copy Link

I also strongly suggest that we add Minecraft to the ban list, for the following reasons:

  1. Playing games on university infrastructure is not condoned.
  2. Minecraft has had some very serious security vulnerabilities over the past few years, such as BleedingPipe and Fracturiser. It is not realistic to expect club members to be continuously monitoring security advisories and updating their software in a timely fashion. If a cloud VM gets compromised, that could have catastrophic consequences, because most CSC services implicitly assume that anyone on the campus network is trusted.

If someone wants to run their own Minecraft server, they should do so on AWS/GCP/Azure instead. They should be eligible for some free credits while they are a student.

I also strongly suggest that we add Minecraft to the ban list, for the following reasons: 1. Playing games on university infrastructure is not condoned. 2. Minecraft has had some very serious security vulnerabilities over the past few years, such as [BleedingPipe](https://blog.mmpa.info/posts/bleeding-pipe) and [Fracturiser](https://arstechnica.com/information-technology/2023/06/dozens-of-popular-minecraft-mods-found-infected-with-fracturiser-malware/). It is not realistic to expect club members to be continuously monitoring security advisories and updating their software in a timely fashion. If a cloud VM gets compromised, that could have catastrophic consequences, because most CSC services implicitly assume that anyone on the campus network is trusted. If someone wants to run their own Minecraft server, they should do so on AWS/GCP/Azure instead. They should be eligible for some free credits while they are a student.
merenber added the
priority
low
 label 2023-10-19 08:28:13 -04:00
y266shen commented 2023-10-19 14:02:44 -04:00
Owner
Copy Link

The easiest way to do it would be to use nginx stream proxy (http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html). We are already dealing with nginx configs with pyceo and this method involves literally 6 lines of code to make a proxy work:

stream {
    server {
        listen $PUBLIC_PORT;
        proxy_pass $INTERNAL_IP:$INTERNAL_PORT;
    }
}
The easiest way to do it would be to use nginx stream proxy (http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html). We are already dealing with nginx configs with pyceo and this method involves literally 6 lines of code to make a proxy work: ```nginx stream { server { listen $PUBLIC_PORT; proxy_pass $INTERNAL_IP:$INTERNAL_PORT; } } ```
y3285wan commented 2023-10-20 01:36:48 -04:00
Member
Copy Link

I also strongly suggest that we add Minecraft to the ban list, for the following reasons:

  1. Playing games on university infrastructure is not condoned.
  2. Minecraft has had some very serious security vulnerabilities over the past few years, such as BleedingPipe and Fracturiser. It is not realistic to expect club members to be continuously monitoring security advisories and updating their software in a timely fashion. If a cloud VM gets compromised, that could have catastrophic consequences, because most CSC services implicitly assume that anyone on the campus network is trusted.

If someone wants to run their own Minecraft server, they should do so on AWS/GCP/Azure instead. They should be eligible for some free credits while they are a student.

Hm, one of the feature that csc constantly uses to sell to new members is the ability to host mc server.

> I also strongly suggest that we add Minecraft to the ban list, for the following reasons: > > 1. Playing games on university infrastructure is not condoned. > 2. Minecraft has had some very serious security vulnerabilities over the past few years, such as [BleedingPipe](https://blog.mmpa.info/posts/bleeding-pipe) and [Fracturiser](https://arstechnica.com/information-technology/2023/06/dozens-of-popular-minecraft-mods-found-infected-with-fracturiser-malware/). It is not realistic to expect club members to be continuously monitoring security advisories and updating their software in a timely fashion. If a cloud VM gets compromised, that could have catastrophic consequences, because most CSC services implicitly assume that anyone on the campus network is trusted. > > If someone wants to run their own Minecraft server, they should do so on AWS/GCP/Azure instead. They should be eligible for some free credits while they are a student. Hm, one of the feature that csc constantly uses to sell to new members is the ability to host mc server.
merenber commented 2023-10-20 06:22:54 -04:00
Author
Owner
Copy Link

Hm, one of the feature that csc constantly uses to sell to new members is the ability to host mc server.

I don't know who is "selling" this to new members, but in my opinion, they really shouldn't be, for the reasons mentioned above.

If someone wants to run Minecraft on a general-use machine using one of the existing port exemptions, we can't really stop them, but we should make it clear that this isn't condoned or supported.

> Hm, one of the feature that csc constantly uses to sell to new members is the ability to host mc server. I don't know who is "selling" this to new members, but in my opinion, they really shouldn't be, for the reasons mentioned above. If someone wants to run Minecraft on a general-use machine using one of the existing port exemptions, we can't really stop them, but we should make it clear that this isn't condoned or supported.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
124-fix-regression
new-positions
54-newsletter
WIP-66
65-isClubRep-fix
83-sqlfstrings
60-group-lookup
63-fix-ci
1.0.22
v0.5.1
v0.4.11
v0.4.10
v0.4.9
v0.4.8
v0.4.7
v0.4.6
v0.4.5
Labels
Clear labels   
priority
high
High priority

  
priority
low
Low priority

  
priority
medium
Medium priority

  
priority
very high
Very high priority

  
BUG

   
Feature

   
High Priority

   
Low Priority

   
Medium Priority
No Label
priority
high
priority
low
priority
medium
priority
very high
BUG
Feature
High Priority
Low Priority
Medium Priority
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: public/pyceo#107
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?