Skip to content

Secure your LA infrastructure

Jump to bottom Edit New page
vjrj edited this page Apr 14, 2020 · 26 revisions

Draft

Basic measures

Firewall

Ports to open from the outside

Allow basic input traffic 22/80/443 (tcp) from the outside. Restrict external access to solr web interface (port 8983).

Ports to open internally

If you want to restring the internal traffic is more complex. Initially you can open all ports between your VMs and internal IP address as a start while you discover which ports use each services and adapt it to your infrastructure.

Depending on your servers and LA software deployment you should open these TCP ports between your VMs:

  • 22: ssh
  • 80,443: http/s
  • 8009,8080: tomcat
  • 8983: solr
  • 7000, 7001, 9042, 9142, 9160: cassandra
  • 8070, 9000, 9001, 9002: auth (cas, userdetails, etc)
  • 9101: image service (alternative to default 8080)

ufw

If you don't need a complicated firewall configuration you can use this ansible ufw role to quickly configure the iptables in your machines.

Protect you SOLR admin interface

ssh port redirection

When you need to access to the solr admin interface (or similarly to mongo mysql or postgresql ports) from your computer, you can temporarily use ssh port redirection with something like:

ssh -L 8983:127.0.0.1:8983 ubuntu@your-solr-server -N -f

  • -L means: my port 8983 is equals to 127.0.0.1:8983 in my remote solr server
  • -N -f brings this port redirection to the background

but this redirection is only maintained while that ssh connection is running, so it's temporary. (For many use-cases, this is adequate - you create an SSH tunnel for the brief duration of your SOLR administration tasks, then shut it down.) If you like this way to connect to your server's admin ports, you can also use other tools like autossh or sshuttle.

solr admin with apache

If you need something more permanent you can configure a vhost with basic auth like:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName index.example.org
ServerAdmin sysadmins@example.org
DocumentRoot /srv/index.example.org/www/
<Directory />
Require all granted
</Directory>
<Directory /srv/index.example.org/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Location />
  AuthType Basic
  AuthName "Authentication Required"
  AuthUserFile /etc/apache2/passwdfile
  <RequireAny>
    Require env noauth
    Require env REDIRECT_noauth
    Require valid-user
  </RequireAny>
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyRequests Off
ProxyPreserveHost On
ProxyVia full
ProxyPass / http://YOUR_INTERNAL_SOLR_SERVER:8983/
  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/index.example.org/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/index.example.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/index.example.org/chain.pem
</VirtualHost>
</IfModule>

Whitelist IP address

Some interfaces have a simple IP address whitelist system to allow some IPs to access to the administrative interface, or to use their API, etc:

Other recommendations

Use fail2ban for prevent brute force in those services (http/s and ssh authentication). If you use wordpress in your node, there is also a good fail2ban wordpress plugin that integrates well with fail2ban.

Other resources

End

Index

Clone this wiki locally