Reputation: 1439
Secure Nexus against supply chain attacks
We switched from a publicly accessible reprepro Debian package repository (which was powered by an Apache web server) to the Sonatype Nexus Repository OSS, which is great piece of software. But we ran into one problem: When someone uploads a Debian package it's signed on the Nexus server, which we expose to our customers/the internet. In addition, the GPG key and passphrase is known to Nexus for package signing.
Or in other words: I am afraid of a similar situation like the SolarWinds supply chain attack. Scenario: Person attacks the publicly accessible Nexus server/Nexus itself, takes over Nexus, changes existing packages and resigns them with the GPG key/GPG passphrase. Then, malicious code is served to our customers.
I thought about exposing the file blob store directory as read only target to a publicly exposed web server and keep Nexus company internal. Sadly the internal file blob store layout is different, so that's not possible.
So my questions:
Is there a good way to expose the the blob storage in a Deb/RPM/Docker/etc. compatible format which can be served by a more protected, publicly accessible Apache server and consumed by tooks like dpkg/yum/dnf/Docker etc?
I also thought about a second read only Nexus server which is rsync'ed every 10 minutes or so. An attacker would then take over this server, but the package signing check (At least for DEB/RPM) prevents installation of the tampered package
Use an Apache reverse proxy with certificate based authentication (I guess the most secure but complex solution)
But maybe there is already such a feature/another way and I just missed it in the documentation?
Upvotes: 0
Views: 522
Answers (1)
Reputation: 1439
In the end we came up with several steps to minimize the risk:
- Use a proxy that filters via GeoIP (Repository access is only possible from the countries our customers reside)
- Block all URIs except the following (Replace with name of your repo):
- /service/rest/repository/browse/REPONAME/*>
- /repository/REPONAME/*>
- /static/css/nexus-content.css*>
- /favicon.ico*>
- /favicon-*.png>
Upvotes: 1
Related Questions
- Prevent Nexus from pulling blocked package metadata
- How to secure nexus repository path
- Is Nexus Repository 3 blob store setup necessary?
- Nexus OSS 2 - Repository Targets
- Nexus 3 configuration issue with public repository
- Nexus 3 OSS bundle requires license for PRO
- Isn't Nexus open source any more?
- How can developers access to Nexus OSS
- How Nexus Proxy repository works?
- Nexus proxy repository