Hi Meabase community,
I need some help related to security and restriction of ports and IPs that metabase needs to work correctly.
Currently we have Metabase deploy on EC2 (separate database on AWS RDS) and we are having some alerts from AWS related to attacks (a few ones on the last 2 months).
Our instances have been sending more than 30gb a few days, indicating a attack, using our instances.
Running on Metabase v0.46.1 (12a6e1d release-x.46.x). I am executing the update to the latest now (Metabase 0.50.16)
Inboud (security group) allows only port 80 (http) and 443 (https)
Outbound (security group) allows everything. Here I cound restricted if we know which IPs and ports are required to run Metabase.
Here more details:
Your AWS Abuse Report [0000] [AWS ID 0000]
Your EC2 instance has been implicated in activity that resembles a Denial of Service attack against remote hosts; please review the information provided below about the activity.
emote IP/Ports:
88.169.161.231 80 Protocol: UDP
Total Gbits sent: 51.47485056
Total packets sent: 4468303
Total Gbits received: 0.0
Total packets received: 0
Average Gbits/sec sent: 1.775
Average Packets/sec sent: 154,079.4
It appears the instance(s) may be compromised and triggered an attack. It is advisable to update all applications and ensure the most current patches are applied.
My questions are:
- Do we have any analytics or data being sent from Metabase server to external? Like Metabase cloud or other usage information?
- Do we have any known vulnerability having metabase on AWS EC2 and Metabase on AWS Elastic Beanstalk?
- What are the ports required to run metabase? With that I could add more restricted rules to block access.