From 44fd6a462a6ba40bd0017cc1b093c84986fb6538 Mon Sep 17 00:00:00 2001 From: Hermes VM Date: Wed, 27 May 2026 21:55:46 +0000 Subject: [PATCH] fix: bind DevOps dashboard ports to loopback --- dashboard/docker-compose.yml | 4 ++-- docs/vm-exposure-inventory.md | 7 +++---- docs/vm-security-blind-spots-roadmap.md | 23 +++++++++++++++++++++++ 3 files changed, 28 insertions(+), 6 deletions(-) diff --git a/dashboard/docker-compose.yml b/dashboard/docker-compose.yml index 1200572..bc91b66 100644 --- a/dashboard/docker-compose.yml +++ b/dashboard/docker-compose.yml @@ -26,7 +26,7 @@ services: - VM_SCRIPTS_PATH=/vm-scripts/VMs/HostingerVM - VM_LOG_DIR=/host-logs ports: - - '4004:4004' + - '127.0.0.1:4004:4004' networks: - default - platform_net @@ -65,7 +65,7 @@ services: NEXT_PUBLIC_DEVOPS_API_URL: https://api.bytelyst.com/devops container_name: devops-web ports: - - '3049:3000' + - '127.0.0.1:3049:3000' networks: - default - platform_net diff --git a/docs/vm-exposure-inventory.md b/docs/vm-exposure-inventory.md index 746bb01..90651b9 100644 --- a/docs/vm-exposure-inventory.md +++ b/docs/vm-exposure-inventory.md @@ -62,7 +62,7 @@ These listeners were bound on `0.0.0.0` and/or `[::]` during review. | `3030` | `chronomind-web` | `/root/bytelyst.ai/repos/learning_ai_clock/docker-compose.yml` | `clock.bytelyst.com` | `public-caddy` | Bound to `127.0.0.1` on 2026-05-27; keep Caddy route | | `3035` | `jarvisjr-web` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | none found in Caddy | `loopback-only` | Bound to `127.0.0.1` on 2026-05-27; still needs public/private product decision | | `3040` | `flowmonk-web` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | none found in Caddy | `loopback-only` | Bound to `127.0.0.1` on 2026-05-27; still needs public/private product decision | -| `3049` | `devops-web` | `/opt/bytelyst/bytelyst-devops-tools/dashboard/docker-compose.yml` | `devops.bytelyst.com` | `private-admin` with direct bypass | Fix old repo path drift, then bind loopback/private | +| `3049` | `devops-web` | `/opt/bytelyst/learning_ai_devops_tools/dashboard/docker-compose.yml` | `devops.bytelyst.com` | `private-admin` | Bound to `127.0.0.1` on 2026-05-27; still needs auth/private gate for Caddy route | | `3050` | `mindlyst-web` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | none found in Caddy | `loopback-only` | Bound to `127.0.0.1` on 2026-05-27; still needs public/private product decision | | `3055` | `nomgap-web` | orphan from older `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | none found in Caddy | `retire` | Retired on 2026-05-27; current Compose says Nomgap web is deployed to Vercel | | `3060` | `actiontrail-web` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | none found in Caddy | `loopback-only` | Bound to `127.0.0.1` on 2026-05-27; still needs public/private product decision | @@ -71,7 +71,7 @@ These listeners were bound on `0.0.0.0` and/or `[::]` during review. | `3085` | `invttrdg-web` | `/opt/bytelyst/learning_ai_invt_trdg/docker-compose.yml` | `invttrdg.bytelyst.com` | `public-caddy` | Bound to `127.0.0.1` on 2026-05-27; keep Caddy route | | `3100` | `loki` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | none found in Caddy | `loopback-only` | Bound to `127.0.0.1` on 2026-05-27 | | `3300` | `gitea-npm-registry` | non-Compose container labels absent | `gitea.bytelyst.com` | `public-caddy` with direct bypass | Bind loopback or private; keep Caddy route | -| `4004` | `devops-backend` | `/opt/bytelyst/learning_ai_devops_tools/dashboard/docker-compose.yml` | `api.bytelyst.com/devops/*` | `private-admin` with direct bypass | Bind loopback/private | +| `4004` | `devops-backend` | `/opt/bytelyst/learning_ai_devops_tools/dashboard/docker-compose.yml` | `api.bytelyst.com/devops/*` | `private-admin` | Bound to `127.0.0.1` on 2026-05-27; still needs auth/private gate for Caddy route | | `4010` | `peakpulse-backend` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | `api.bytelyst.com/peakpulse/*` | `public-caddy` | Host port removed by Compose recreate on 2026-05-27; keep Caddy route | | `4011` | `chronomind-backend` | `/root/bytelyst.ai/repos/learning_ai_clock/docker-compose.yml` | `api.bytelyst.com/chronomind/*` | `public-caddy` | Bound to `127.0.0.1` on 2026-05-27; keep Caddy route | | `4012` | `jarvisjr-backend` | `/opt/bytelyst/learning_ai_common_plat/docker-compose.ecosystem.yml` | `api.bytelyst.com/jarvisjr/*` | `public-caddy` | Host port removed by Compose recreate on 2026-05-27; keep Caddy route | @@ -114,8 +114,7 @@ These listeners were bound on `0.0.0.0` and/or `[::]` during review. ## Drift / Follow-Up Findings - `nomgap-web` was an orphan from an older Compose revision, had no Caddy route, and was retired on 2026-05-27. -- `devops-backend` runs from `/opt/bytelyst/learning_ai_devops_tools/dashboard/docker-compose.yml`. -- `devops-web` runs from `/opt/bytelyst/bytelyst-devops-tools/dashboard/docker-compose.yml`, an older path. Align this before changing devops dashboard port bindings. +- `devops-backend` and `devops-web` now run from `/opt/bytelyst/learning_ai_devops_tools/dashboard/docker-compose.yml`. - `gitea-npm-registry` has no Compose labels in Docker inspect output. Find its systemd/compose owner before changing `3300`. - `admin.bytelyst.com` points at `admin-web:3001`, but no `admin-web` container was present in `docker ps` during this inventory. diff --git a/docs/vm-security-blind-spots-roadmap.md b/docs/vm-security-blind-spots-roadmap.md index a2db40b..89cf32c 100644 --- a/docs/vm-security-blind-spots-roadmap.md +++ b/docs/vm-security-blind-spots-roadmap.md @@ -184,6 +184,7 @@ Effective `sshd -T` settings showed: - [x] Internal emulator/mail/observability ports `1025`, `8025`, `10000`, `1234`, `8081`, and `3100` are loopback-bound. - [x] Common-platform direct app/API bypasses are loopback-bound or removed from host publishing. - [x] Notes, Clock, and InvtTrdg direct app/API bypasses are loopback-bound. + - [x] DevOps dashboard/API direct private-admin bypasses are loopback-bound. - [ ] Add a `DOCKER-USER` chain policy to drop unsolicited traffic to non-approved published ports before Docker's accept rules. - [ ] Keep only `80/443` and intentionally public SSH exposed at the provider/firewall layer. - [ ] Add a recurring check that compares `ss -ltn` and Docker published ports against the approved inventory. @@ -395,6 +396,7 @@ Effective `sshd -T` settings showed: - [x] Loopback-bound internal emulator/mail/observability ports `1025`, `8025`, `10000`, `1234`, `8081`, and `3100`. - [x] Closed/loopback-bound common-platform direct app/API bypasses. - [x] Loopback-bound Notes, Clock, and InvtTrdg direct app/API bypasses. + - [x] Loopback-bound DevOps dashboard/API direct private-admin bypasses. - [ ] Add `DOCKER-USER` default-deny rules for non-approved ports. - [ ] Harden SSH root/password access after key-based access is verified. - [ ] Put `ollama.bytelyst.com`, admin dashboards, and dev tooling behind private/auth-gated access unless explicitly approved as public. @@ -625,6 +627,27 @@ Minimum post-checks for Phase 1: - Docker wildcard publishes still to fix: Gitea direct port `3300`, DevOps dashboard/API `3049` and `4004`. - Host process still to fix: Ollama `11434`. +### 2026-05-27 — Phase 1 DevOps private-admin bypasses + +**Changed:** + +- Updated `/opt/bytelyst/learning_ai_devops_tools/dashboard/docker-compose.yml` so `devops-web` and `devops-backend` bind host ports only on `127.0.0.1`. +- Recreated `devops-backend` and `devops-web` without rebuilding images. + +**Verified:** + +- `docker compose config --quiet` passed in the DevOps dashboard directory. +- `devops-web` now publishes `127.0.0.1:3049->3000`. +- `devops-backend` now publishes `127.0.0.1:4004->4004` and is healthy. +- Local smoke checks returned HTTP `200` for `http://127.0.0.1:3049` and `http://127.0.0.1:4004/health`. +- `docker ps --format ... | grep 0.0.0.0` now shows only Caddy `80/443` and Gitea `3300` as Docker wildcard publishes. + +**Remaining wildcard direct exposure after this checkpoint:** + +- Expected public ingress: `22`, `80`, `443`. +- Docker wildcard publish still to fix: Gitea direct port `3300`. +- Host process still to fix: Ollama `11434`. + ## Do Not Start With - Rootless Docker migration.