a year ago
Hi,
I have a static IP configured. The Payment demanded to do ASV report on the static IP. We found two vulnerabilities. Can we stop the traffic initiated from outside to reach the static IP server, or remediate the vulnerabilities. We have explained the traffic is only outbound but the payment provider demanded the ASV.
They will block our calls for payment if we couldn't resolve this.
The vulnerabilities related to OpenSSH.
CVE-2023-51767
CVE-2023-28531
Thanks,
11 Replies
a year ago
Hi there, you should be able to set up an additional service as a firewall to stop inbound traffic. Will also ask the team if this is an upgrade we can do but given the payment provider is requiring this, the fastest path might be blocking the incoming traffic.
Status changed to Awaiting User Response Railway • about 1 year ago
chandrika
Hi there, you should be able to set up an additional service as a firewall to stop inbound traffic. Will also ask the team if this is an upgrade we can do but given the payment provider is requiring this, the fastest path might be blocking the incoming traffic.
a year ago
Thank you. I am waiting for your team's reply.
Status changed to Awaiting Railway Response Railway • about 1 year ago
a year ago
Hey, cannot guarantee this upgrade in the short term hence I was recommending setting up an additional service that can stop the inbound traffic as that might be the quickest way around this.
Status changed to Awaiting User Response Railway • about 1 year ago
chandrika
Hey, cannot guarantee this upgrade in the short term hence I was recommending setting up an additional service that can stop the inbound traffic as that might be the quickest way around this.
a year ago
Hi,
Can you guide me in how to deploy the firewall service?
Thanks,
Fahad
Status changed to Awaiting Railway Response Railway • about 1 year ago
a year ago
Hi Fahad, we're unable to guide you on setting up a firewall but I can give you a starting point.
You might consider deploying a reverse proxy or using a third-party firewall service that can be configured to block incoming traffic and can check our templates to see if there are any good fits for your usecase https://railway.com/templates , or use external services like Cloudflare for DDoS protection and firewall capabilities.
For more detailed guidance on managing public networking and understanding how Railway handles inbound traffic, you can check our Public Networking documentation.
Status changed to Awaiting User Response Railway • about 1 year ago
chandrika
Hi Fahad, we're unable to guide you on setting up a firewall but I can give you a starting point. You might consider deploying a reverse proxy or using a third-party firewall service that can be configured to block incoming traffic and can check our templates to see if there are any good fits for your usecase <https://railway.com/templates> , or use external services like Cloudflare for DDoS protection and firewall capabilities. For more detailed guidance on managing public networking and understanding how Railway handles inbound traffic, you can check our [Public Networking documentation](https://docs.railway.com/reference/public-networking).
a year ago
Hi,
Is the outbound Static IP shared?
Thanks,
Fahad
Status changed to Awaiting Railway Response Railway • about 1 year ago
a year ago
Yes, the static outbound IP may be shared with other customers. You can check out our docs on it here: https://docs.railway.com/reference/static-outbound-ips
Status changed to Awaiting User Response Railway • about 1 year ago
chandrika
Yes, the static outbound IP may be shared with other customers. You can check out our docs on it here: <https://docs.railway.com/reference/static-outbound-ips>
a year ago
I am mentioning this because I am not how to put the shared static behind the Cloudflare firewall. However, if is not possible, the static IP should be behind a stateful firewall that don't allow inbound traffic. Not sure why I can reach an only outbound IP that shouldn't be reached. Moreover, it has a vulnerability.
We need a solution for the vulnerable outbound static IP.
Status changed to Awaiting Railway Response Railway • about 1 year ago
a year ago
Can you please provide any further information, reproduction steps on how you are able to successfully reach the static outbound IP with inbound traffic?
Status changed to Awaiting User Response Railway • about 1 year ago
a year ago
Hi Chandrika,
Sorry, I thought I replied to you. I did scan with an ASV entity. I have attached the report. The IP is 34.168.253.122.
They were able to reach the IP 34.168.253.122 and do vulnerability check.
Attachments
Status changed to Awaiting Railway Response Railway • about 1 year ago
a year ago
We don't have firewall rules to prevent ingress to IP blocks we use for outbound traffic. You might be able to configure it behind some external proxy and send all traffic through it, but that's not something we support right now.
Status changed to Awaiting User Response Railway • about 1 year ago
Status changed to Solved Anonymous • about 1 year ago