[HIGH] Cockpit admin panel exposed on port 9090 (ai1/cortex) #31

New issue

Open

opened 2026-05-05 17:51:42 -05:00 by pjennings · 0 comments

pjennings commented

2026-05-05 17:51:42 -05:00

Owner

Description

Port 9090 (Cockpit web admin panel) is open on ai1/cortex (10.1.11.9) and accessible on the local network.

Finding Details

Host: ai1/cortex (10.1.11.9)
Port: 9090/tcp
Service: Cockpit (web-based server management)
Discovered by: nmap network scan (2026-05-05)

Risk

Cockpit provides full server administration capabilities:

Terminal access
Service management
User management
Storage management
Network configuration
System updates

If this host is reachable from other network segments, an attacker gaining access to Cockpit could fully compromise the server.

Recommendations

Restrict Cockpit to localhost — bind to 127.0.0.1 only
Or restrict to management VLAN — if remote access is needed
Enable TLS — Cockpit should use HTTPS only
Require strong authentication — verify PAM configuration
Consider disabling — if not actively used, disable the service

NixOS Configuration

services.cockpit = {
  enable = true;
  # Restrict to localhost
  settings.WebService.AllowUnencrypted = false;
  port = 9090;
};

Or add firewall rule:

networking.firewall.allowedTCPPorts = lib.mkForce []; # Remove 9090

References

Cockpit Documentation
Related: docs/network-scan-2026-05-05.md (Finding F5)

## Description Port 9090 (Cockpit web admin panel) is open on ai1/cortex (10.1.11.9) and accessible on the local network. ## Finding Details - **Host:** ai1/cortex (10.1.11.9) - **Port:** 9090/tcp - **Service:** Cockpit (web-based server management) - **Discovered by:** nmap network scan (2026-05-05) ## Risk Cockpit provides full server administration capabilities: - Terminal access - Service management - User management - Storage management - Network configuration - System updates If this host is reachable from other network segments, an attacker gaining access to Cockpit could fully compromise the server. ## Recommendations 1. **Restrict Cockpit to localhost** — bind to 127.0.0.1 only 2. **Or restrict to management VLAN** — if remote access is needed 3. **Enable TLS** — Cockpit should use HTTPS only 4. **Require strong authentication** — verify PAM configuration 5. **Consider disabling** — if not actively used, disable the service ## NixOS Configuration ```nix services.cockpit = { enable = true; # Restrict to localhost settings.WebService.AllowUnencrypted = false; port = 9090; }; ``` Or add firewall rule: ```nix networking.firewall.allowedTCPPorts = lib.mkForce []; # Remove 9090 ``` ## References - [Cockpit Documentation](https://cockpit-project.org/) - Related: docs/network-scan-2026-05-05.md (Finding F5)