Ports open to public?

Hello,

i’ve seen that cells opens many ports on my outbound IP, like mentioned in
https://forum.pydio.com/t/used-ports-in-ipv6/2236/5

Looks like this on my machine:

Not shown: 64445 closed ports, 1013 filtered ports
PORT      STATE SERVICE
25/tcp    open  smtp
80/tcp    open  http
143/tcp   open  imap
443/tcp   open  https
587/tcp   open  submission
993/tcp   open  imaps
1305/tcp  open  pe-mike
2812/tcp  open  atmtcp
4222/tcp  open  vrml-multi-use
8080/tcp  open  http-proxy
32813/tcp open  unknown
32815/tcp open  unknown
33209/tcp open  unknown
33219/tcp open  unknown
33355/tcp open  unknown
33397/tcp open  unknown
33629/tcp open  unknown
33759/tcp open  unknown
33989/tcp open  unknown
34115/tcp open  unknown
34555/tcp open  unknown
34853/tcp open  unknown
35469/tcp open  unknown
35613/tcp open  unknown
35691/tcp open  unknown
35729/tcp open  unknown
35747/tcp open  unknown
36271/tcp open  unknown
36283/tcp open  unknown
36349/tcp open  unknown
36575/tcp open  unknown
36577/tcp open  unknown
36923/tcp open  unknown
37095/tcp open  unknown
37899/tcp open  unknown
38277/tcp open  unknown
38525/tcp open  unknown
38629/tcp open  unknown
39087/tcp open  unknown
39273/tcp open  unknown
39383/tcp open  unknown
39585/tcp open  unknown
39695/tcp open  unknown
39759/tcp open  unknown
39789/tcp open  unknown
40059/tcp open  unknown
40075/tcp open  unknown
40215/tcp open  unknown
40245/tcp open  unknown
40773/tcp open  unknown
41213/tcp open  unknown
41505/tcp open  unknown
41663/tcp open  unknown
41997/tcp open  unknown
42033/tcp open  unknown
42035/tcp open  unknown
42091/tcp open  unknown
42205/tcp open  unknown
42277/tcp open  unknown
42621/tcp open  unknown
42747/tcp open  unknown
42941/tcp open  unknown
43231/tcp open  unknown
43479/tcp open  unknown
43533/tcp open  unknown
44141/tcp open  unknown
44149/tcp open  unknown
44285/tcp open  unknown
44349/tcp open  unknown
44547/tcp open  unknown
44667/tcp open  unknown
44987/tcp open  unknown
45097/tcp open  unknown
45381/tcp open  unknown
45641/tcp open  unknown
46049/tcp open  unknown
46089/tcp open  unknown
46523/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 101.38 seconds

Pydiocells uses 8080, 4222, 5222 an a random range from 30000 to 50000 i think. I’d expect that this ports should only be visible and needed to localhost, so the first try was to firewall them with iptables. Accepting only connections from localhost but not from the outbound IP.
Result: Pydio does not startup correctly. Regarding the logfile it tries to connect via the outbound IP to this ports.

In the pydio.json i’ve seen something like that:

 "urlInternal": "https://localhost:8080"

I’m running cells behind an nginx-reverse-proxy for SSL.

So the main-question is:
How do i need to configure cells to not expose this ports to the public?

Thanks in advance!

Hello,

In Pydio, each microservice opens a port to communicate to others. It’s designed to be able to run in several nodes instead of only one server.

How do i need to configure cells to not expose this ports to the public?

  • Please use firewall of os to block all ports of cells.
  • nginx-reverse-proxy is one of recommended approaches.

Hi,

thanks for the reply. When i’m doing something like this with iptables Pydio won’t startup/work:

iptables -I INPUT 1 -p tcp -s 127.0.0.1 --dport 5222 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 5222 -j DROP

iptables -I INPUT 1 -p tcp -s 127.0.0.1 --dport 4222 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 4222 -j DROP

iptables -I INPUT 1 -p tcp -s 127.0.0.1 --dport 30000:50000 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 30000:50000 -j DROP

Maybe i’m doing it wrong here or i have to configure something else for this to work. After setting this rules nginx returns “503 Bad Gateway” and in the cells.log i’ve something like this:

{"level":"info","ts":"2020-08-22T12:01:00+02:00","logger":"pydio.gateway.dav","msg":"started"}
{"level":"error","ts":"2020-08-22T12:01:28+02:00","logger":"pydio.grpc.tasks","msg":"Streamer
PutTaskStream","error":"{\"id\":\"go.micro.client\",\"code\":500,\"detail\":\"Error creating stream: rpc error:
code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error:
desc = \\\"transport: Error while dialing dial tcp 37.xx.xx.xx:45597: i/o timeout\\\"\",\"status\":\"
Internal Server Error\"}"}

I think cells should listen only on localhost but it doesn’t. Where do i have to adjust this?

Edit:

It’s designed to be able to run in several nodes instead of only one server.

I don’t have this situation, i’m running Pydio private. So there is only one Server with one public IP (with an nginx, providing SSL)

Edit#2:

Sorry, i was totaly lost :wink: Replace all occuring nginx with apache.

I know this is an ancient post, but is there any way of re-assigning those ports to different ones? Pydio Cells is so fond of starting to grab ports willy-nilly, preventing other applications to start (or self-blocking itself when it cannot bind to whatever port it wants/needs).

I have sprinkled ‘safe’ ports on all entries that could find on pydio.json, but nevertheless Pydio Cells is always able to find another port to connect to, which I need for different purposes…

Hi @GwynethLlewelyn
TL:DR; start testing v4 :wink: it will use waaaay less ports !
-c

Sorry to be bumping an ancient post, but I can confirm that 4 does, indeed, use far less ports. It still uses way too many for my tastes :rofl: but they’re now also much easier to reassign!