Security improvement
Binding setting
If you install system following this document, there are some components which listen ports are bind on all address by default. To improve the system security level, we recommend that you change the default settings.
rabbitmq
Recommend bind on loopback address (127.0.0.1)
[ { rabbit, [ { tcp_listeners, [{"127.0.0.1", 5672}] } ] } ]
postgresql
It binds on loopback address (127.0.0.1) by default. Not recommend change the default setting.
confluent
It binds on loopback address (127.0.0.1) by default. Not recommend change the default setting.
influxdb
Recommend bind on loopback address (127.0.0.1)
[http] # Determines whether HTTP endpoint is enabled. # enabled = true # The bind address used by the HTTP service. bind-address = "127.0.0.1:8086"
lico-core
Recommend bind on internal address, if there is no login nodes in cluster and lico-portal is installed on the same node with lico-core, recommend bind on loopback address.
[program:confluent_proxy] command=/usr/bin/gunicorn --paste /etc/lico/confluent-proxy.ini --bind 172.20.0.14:18080 --log-config /etc/lico/confluent-proxy.ini --workers 1 --threads 50 --timeout 3600 --worker-class gevent --keep-alive 65 --log-level info --access-logfile - --error-logfile - --capture-output
lico-ganalia-mond
It binds on loopback address (127.0.0.1) by default. Not recommend change the default setting.
lico-confluent-proxy
Recommend bind on internal address, if there is no login nodes in cluster and lico-portal is installed on the same node with lico-confluent-proxy, recommend bind on loopback address.
[program:confluent_proxy] command=/usr/bin/gunicorn --paste /etc/lico/confluent-proxy.ini --bind 172.20.0.14:18081 --log-config /etc/lico/confluent-proxy.ini --workers 1 --threads 50 --timeout 3600 --worker-class gevent --keep-alive 65 --log-level info --access-logfile - --error-logfile - --capture-output
lico-vnc-proxy
Recommend bind on internal address, if there is no login nodes in cluster and lico-portal is installed on the same node with lico-vnc-proxy, recommend bind on loopback address.
[program:vncproxy] command=/usr/bin/gunicorn --paste /etc/lico/vnc-proxy.ini –bind 172.20.0.14:18083 --log-config /etc/lico/vnc-proxy.ini --workers 1 --timeout 3600 --worker-class gevent --keep-alive 65 --log-level info --access-logfile - --error-logfile - --capture-output ...... [program:websockify] command=/usr/bin/websockify 18082 --token-plugin=JSONTokenApi --token-source='http://172.20.0.14:18083/lookup?token=%s'
lico-wechat-agent
Recommend bind on internal address, if there is no login nodes in cluster and lico-portal is installed on the same node with lico-wechat-agent, recommend bind on loopback address.
# lico-wechat-agent environment file GUNICORN_CMD_ARGS= \ --bind 172.20.0.14:18090 \ --log-config /etc/lico/wechat-agent.ini \ --workers 1 \ --threads 4 \ --worker-class gevent \ --timeout 3600 \ --keep-alive 65 \ --log-level info \ --access-logfile - \ --error-logfile - \ --capture-output True
lico-mail-agent
Recommend bind on internal address, if there is no login nodes in cluster and lico-portal is installed on the same node with lico-wechat-agent, recommend bind on loopback address.
# lico-wechat-agent environment file GUNICORN_CMD_ARGS= \ --bind 172.20.0.14:18091 \ --log-config /etc/lico/mail-agent.ini \ --workers 1 \ --threads 4 \ --worker-class gevent \ --timeout 3600 \ --keep-alive 65 \ --log-level info \ --access-logfile - \ --error-logfile - \ --capture-output True
lico-sms-agent
Recommend bind on internal address, if there is no login nodes in cluster and lico-portal is installed on the same node with lico-mail-agent, recommend bind on loopback address.
# lico-sms-agent environment file GUNICORN_CMD_ARGS= \ --bind 172.20.0.14:18092 \ --log-config /etc/lico/sms-agent.ini \ --workers 1 \ --timeout 3600 \ --keep-alive 65 \ --log-level info \ --access-logfile - \ --error-logfile - \ --capture-output True
Firewall setting
-
Considering the security of the system, we recommend that you enable the firewall on the management node, and login nodes.If you setup the cluster and install LiCO follow this document, you can follow the below steps to setup your firewall. We recommend you reference the official firewall setup document to setup it by yourself. You can visit the official document from:
$ sduo yum install -y firewalld $ sudo systemctl enable firewalld $ sudo systemctl start firewalld
Management Node
# Add SSH service port $ sudo firewall-cmd --zone=public --add-port=22/tcp --permanent # Add httpd service port $ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent # Add NFS service port $ sudo firewall-cmd --zone=public --add-port=2049/tcp --permanent # Add Ganglia gmond port $ sudo firewall-cmd --zone=public --add-port=8649/udp --permanent # Add Slurm slurmctld port $ sudo firewall-cmd --zone=public --add-port=6817/tcp --permanent # Add OpenLDAP slapd port $ sudo firewall-cmd --zone=public --add-port=636/tcp --permanent $ sudo firewall-cmd --zone=public --add-port=389/tcp --permanent # Add lico-confluent-proxy port $ sudo firewall-cmd --zone=public --add-port=18081/tcp --permanent # Add lico-core port $ sudo firewall-cmd --zone=public --add-port=18080/tcp --permanent # Add TensorBoard random binding port range $ sudo firewall-cmd --zone=public --add-port=20000-25000/tcp --permanent
$ sudo firewall-cmd --zone=public --add-interface=eth0 --permanent $ sudo firewall-cmd --zone=public --add-interface=eth1 --permanent
Note
eth0 and eth1 should be your internal and external network interface
$ sudo firewall-cmd --complete-reload
Login node
# Add SSH service port $ sudo firewall-cmd --zone=public --add-port=22/tcp --permanent # Add Nginx service port, you can adjust 8443 to your setting $ sudo firewall-cmd --zone=public --add-port=8443/tcp --permanent
$ sudo firewall-cmd --zone=public --add-interface=eth0 --permanent $ sudo firewall-cmd --zone=public --add-interface=eth1 --permanent
Note
eth0 and eth1 should be your internal and external network interface
$ sudo firewall-cmd --complete-reload
-
Considering the security of the system, we recommend that you enable the firewall on the management node, and login nodes.If you setup the cluster and install LiCO follow this document, you can follow the below steps to setup your firewall. We recommend you reference the official firewall setup document to setup it by yourself. You can visit the official document from:
$ sudo yast
Enter Security and Users > Firewall
Management Node
Select Allowed Services:
Set Allowed Services for Selected Zone to External Zone,Click Advanced, in the pop dialog:Set TCP Ports to 20000:25000 2049 22 80 389 636 6817 18080 18081Set UDP Ports to 8649Note
TCP/22
: ssh service portTCP/80
: httpd service portTCP/2049
: nfs service portTCP/6817
: slurm slurmctld portTCP/636, 389
: openldap slapd portTCP/18081
: lico-confluent-proxy portTCP/18080
: lico-core portTCP/20000:25000
: TensorBoard random binding port rangeUDP/8649
: ganglia gmond portSelect Interfaces:
Set eth0 and eth1 to using External Zone.Note
eth0 and eth1 should be your internal and external network interface.
Select Start-Up
Set Service Start to Enable Firewall Automatic StartingClick Save Settings and Restart Firewall NowExit YaSTLogin node
Select Allowed Services:
Set Allowed Services for Selected Zone to External Zone,Click Advanced, in the pop dialog:Set TCP Ports to 8443 22Note
TCP/22
: ssh service portTCP/8443
: nginx service portSelect Interfaces:
Set eth0 and eth1 to using External Zone.Note
eth0 and eth1 should be your internal and external network interface.
Select Start-Up
Set Service Start to Enable Firewall Automatic StartingClick Save Settings and Restart Firewall NowExit YaST