Page History

We strongly advise against highly permissive security groups. Allowing access from any source (i.e. 0.0.0.0/0 or ::/0) means that anyone in the world can access your instance. We advise limiting the traffic to your instance to the smallest possible CIDR.

Allowing access to all ports (port range 1 : 65535) means that anyone from the allowed CIDR can access all services on your instance - even services which should only be internal.

We monitor for security groups rules which are providing open access to specific ports. If we discover and open access rule, it will be deleted. An "open access" security group rule is one where the CIDR is set to either 0.0.0.0/0 for IPv4 or ::/0 for IPV6. The security group rule deletion will be applied for the following ports:

• 42, 1512: WINS

• 88: Kerberos

• 135, 137, 138, 139: NetBIOS/SMB/Samba

• 389: LDAP

• 445, 3268: Active Directory

• 3389: Remote Desktop

• 5985, 5986: WinRM

• 9200: Elasticsearch

• 27017: MongoDB

You can still configure access to these ports, but they must not be in an open-access nature. Please use a CIDR of a specific IP address when creating security group rules for these ports.

For best practices, please read this informative blog on OpenStack Security.