[CRITICAL] Indexer Security Announcement

A recent report from one of our indexers revealed that many indexers expose their subql-coordinator ports publicly despite our guidance not to. This may lead to a bad actor changing your service, so we urge every indexer review their security controls immediately.

Who are affected?

Indexers with the following might have controller account at risk.

Be on the lookout for any malicious transactions from Metamask for your old controller account. A bad actor could insert malicious source code into the indexer admin app to ask you to sign a malicous transaction

How to fix?

  1. Immediately apply firewall rules to secure coordinator ports (see guidance here). Only the proxy’s HTTP & P2P port should be exposed publicly. SSH should be secured and not exposed publicly
  2. Upgrade subquerynetwork/indexer-coordinator to >= v1.3.8 (instructions here)
  3. Scan all the .ssh/authorized_keys of all your accounts, (/root and other /home/*). Delete any malicious or suspicious records, if you are not sure, delete the file, then restart
  4. Assign a new controller account in indexer admin - Instructions to create and activate a new controller account. Withdraw the all tokens from your previous controller as well

Best practices

  • Only expose the following ports publicly.
    • 443 for nginx → indexer-proxy for HTTPS indexers,
    • 80 for indexer-proxy for non-HTTPS indexers
    • 7370 for indexer-proxy’s p2p
  • subql-coordinator’s api port (8000 / TCP in the default settings): This port should be configured to only allow access from your own IP address or via your secured VPN as it is used by indexer_coordinator.
  • Run SubQuery services under non-root user
  • Consider using selinux to further enhance the security

Other external resources

  • You may want to consider using the Indexer toolkit developed by web3cdn. (it is not official application, please use at your own risk)
1 Like

I recommend you give commands about ufw, iptable…

Can you be a little more detailed, please?
Which commands, in what way is more convenient?

Download ufw-docker script:

sudo wget -O /usr/local/bin/ufw-docker \
sudo chmod +x /usr/local/bin/ufw-docker

Then using the following command to modify the after.rules file of ufw

ufw-docker install

Expose the port 7370:

ufw route allow proto udp from any to port 7370 comment 'allow indexer_proxy 7370/udp indexer_services'

Expose the port 8000 allow Only My IP (change to your IP Address):

ufw route allow proto tcp from to port 8000 comment 'allow indexer_coordinator 8000/tcp indexer_services'

Show the current firewall allowed forward rules

ufw-docker status
1 Like

How to set up access if I have a dynamic ip?

We have published a new page to our docs with this post’s content