I have recently been testing out Cockpit with my various Debian servers, and I like it so far. One issue I have is that it creates the port 9090 that is open by default. I don't want that port opened to the world, but my bastion server is on a dynamic IP.
I noticed that I can install Cockpit on my remote servers, then run systemctl stop cockpit.socket
and have it work... But not past disconnects from my main server.
What I would like to know is, what is the minimum configuration required to only allow Cockpit to connect to remote Debian servers that do not have Cockpit installed (preferred), or somehow limit Cockpit's web interface to not work on public-facing interfaces.
The cockpit documentation explains how to override the cockpit.socket systemd unit to set the listen address as you wish.
For example, you may create an override file
/etc/systemd/system/cockpit.socket.d/listen.conf
which contains:The first
ListenStream=
causes any previously definedListenStream=
directives to be discarded. They will then be replaced by the secondListenStream=
.You would use the IP address of your internal interface, and not that of the external interface.
Of course, you can also firewall port 9090 in any manner you wish, to achieve a similar effect.