I have an app running on Fly and the problem is that all ports seem to be open on it’s IP addresses (tested both shared and dedicated). It’s causing our internal reports to show it as a vulnerability, even though it’s not.
Is there a way to close these ports and keep only 443 (or other ports in Fly toml config file) open? Thanks.
If you’re using a shared ip address, then all those ports are other apps. I’m not aware of any security vulnerability.
What you’re seeing is normal and it does not represent a security risk or misconfiguration. Here’s a detailed explanation.
A common element in vulnerability scans is doing a “port scan” on the destination IP and seeing which services/ports are “open”. Typically these scans will return the alarming but benign finding that “all ports are open on Fly.io servers!”.
From the outside it looks as though Fly.io has all ports open; connections on any port are forwarded to the Fly proxy, which explains why they are initially accepted, which is what a “does this port respond” test is doing. However, the proxy will correctly handle only the ports you declare in your configuration, using the handler you configured (typically https or http but you can also configure raw TCP handling which works like a “pass-through” to your service).
Crucially, the proxy will almost immediately close any connection for which the app owning the destination IP address does not have a configured service. You can test this by using nc or another “connect to port, send data” utility and trying to type some data to send to the service; the connection will close almost immediately, typically after you press ENTER or CTRL-D.
Consequently, the fact that the proxy accepts connections on all TCP ports does not constitute a vulnerability directly, nor does it mean that we’re running the service that’s usually hosted in the port in question (e.g. port 9 is the “discard” service but we do NOT run a “discard” service fleet-wide).
Regards,
I understand, thank you. It’s just a company policy that it runs these automated port checks periodically and they show up in the report. Is there any way to make Fly not listen on these ports at all on a dedicated IP address?
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.