Task #98
closed
MongoDB in production: allow only trusted connections
100%
Description
Only allow trusted clients to connect to the port for the mongod instances.
The ports used are: 27017, 28017
Following the list of instances in production:
{{{
node58.p.d4science.research-infrastructures.eu
node67.p.d4science.research-infrastructures.eu
node73.p.d4science.research-infrastructures.eu
node80.p.d4science.research-infrastructures.eu
node84.p.d4science.research-infrastructures.eu
}}}
The networks considered trusted for the storage area are all the networks where gCore nodes or smartgears nodes are deployed.
Follow the list of networks:
fao.org
edu.tw
uoa.gr
vliz.be
Files
Updated by Pasquale Pagano almost 10 years ago
- Target version set to System Configuration
Updated by Luca Frosini almost 10 years ago
- Assignee changed from Tommaso Piccioli to Andrea Dell'Amico
Updated by Andrea Dell'Amico almost 10 years ago
Two considerations
- 28017 is the http port that shows the server status. Is it really needed? even from outside?
- We need networks and not domain names. It's not possible to obtain complete information about the involved networks from a domain name.
Updated by Roberto Cirillo almost 10 years ago
- 28017 port should be closed from outside
- I don't know if is possible to obtain the networks from a domain name. There is a way to do it?
Updated by Andrea Dell'Amico almost 10 years ago
Roberto Cirillo wrote:
- 28017 port should be closed from outside
Ok
- I don't know if is possible to obtain the networks from a domain name. There is a way to do it?
No, there's no connection between domain names and networks. Tommaso produced a networks list some weeks ago, but we don't know if it's complete.
Updated by Andrea Dell'Amico almost 10 years ago
I've found some networks recently used to protect another service on node21.p.d4science.research-infrastructures.eu:
ext_nets: fao_org_1: 193.43.36.0/24 uoa_gr_1: 195.134.64.0/18 uoa_gr_2: 88.197.0.0/17
I need to find the networks for vliz.be and edu.tw.
If we do not have a clue I'll sniff the traffic on the mongodb servers.
Updated by Andrea Dell'Amico almost 10 years ago
- File lista-reverse-addresses lista-reverse-addresses added
Updated by Andrea Dell'Amico almost 10 years ago
- Status changed from New to In Progress
I did not found any connections from .tw hosts, but I composed a list that includes more that what initially asked:
vliz_be_1: 193.191.134.0/24 fao_org_1: 193.43.36.0/24 uoa_gr_1: 195.134.64.0/18 uoa_gr_2: 88.197.0.0/17 # Greek Research and Technology Network (GRNET) S.A. grnet_1: 83.212.96.0/19 # UE ue_comm_1: 147.67.0.0/16 engineering_1: 91.109.57.0/24 cern_1: 128.141.0.0/16 cern_2: 128.142.0.0/16 cern_3: 137.138.0.0/16 # Barcelona Supercomputer Center barcelona_sc_1: 84.88.0.0/16 # Barcelona, Politecnico barcelona_upc_1: 147.83.0.0/16 # Valencia, Politecnico valencia_upv_1: 158.42.0.0/16
Talking with Roberto, they all seem legitimate networks.
Let me know how to proceed. Do we want to include all those?
Updated by Roberto Cirillo almost 10 years ago
Yes Andrea. Please, include all these network.
Updated by Andrea Dell'Amico almost 10 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 90
The iptables rules are now active.
Updated by Andrea Dell'Amico almost 10 years ago
- Status changed from Feedback to Closed
- % Done changed from 90 to 100
