Unsolved
This post is more than 5 years old
1 Message
0
2073
OneFS vesion 7.1.1.2 shut-off management
We are new to OneFS version 7.1.1.2, for security purposes, we are force to isolate the management console, can we shut-off mgmt. on the 10Gbe’s and let the 1Gbe in effect be our Control Station?
cadiletta
106 Posts
1
May 14th, 2015 13:00
OneFS Web Administration or Command Line interfaces are accessible through normal IP communication over any link. There is no configuration option to restrict the administration access to specific ports, as anyone with the root or admin authentication can plug in an IP address directly to reach the cluster.
One alternative is to configure a SmartConnect pool as an administrative pool. Administrators seeking to address the Web Administration Interface would use that cluster name for access, (Example: adminIsilon.company.com). Then add only the interfaces you want to use for administration. This does not prevent users from inputting an IP address of any node directly, but would rather be a practice that would produce the desired result.
If there is truly a security concern, administration is dependent on certain services such as the sshd and apached services operating. By shutting these off, you remove administration capabilities for the node entirely. Note this is not available per interface, but for the whole node. A serial console will continue to work otherwise.
cadiletta
106 Posts
0
May 14th, 2015 14:00
dynamox,
That is a great option and one that is still available. I was trying to think of the buttons and switches available in the Isilon interfaces or RBAC etc. As usual though there are some steps you can do with Linux to restrict routing, modify the hosts.allow etc. However I don't believe there is a documented method, more a bit of tinkering needed to accomplish the task.
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
May 14th, 2015 14:00
https://support.emc.com/kb/16602
This KB states 6.5 and earlier, why is that and what changed ? Will the same procedure work ( i guess i could try on my virtual instance).
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
May 14th, 2015 14:00
Chris,
In OneFS 6.5 i was able to lock down access to sshd and apache using hosts.allow , is that functionality still available and "supported" in 7.x ? As a service provider i would love to be able to lock down management interfaces to specific systems, i have too many college kids with too much time on their hands trying to brute force ssh access to my cluster.
T_Koopman
17 Posts
0
June 5th, 2015 10:00
I have similar issues, I would like to be able to shut off any admin function from interfaces connected to access zones that are DMZ facing. I am testing with 7.1.1.2 virtual instance and found that the KB dynamox referenced does not prevent ssh access to the smart connect IP. I was using the host.allow to restrict access via ssh from specific networks.
Dynamox did you try on your virtual instance?
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
June 5th, 2015 11:00
i did, it works (7.1.0.1)
T_Koopman
17 Posts
0
June 5th, 2015 14:00
based on my findings with Vitual Isilon 7.1.1.2 Wrapping sshd to deny networks did not work when connecting to the smart connect IP.
Below is a section of my /etc/hosts.allow
#ALL : ALL : allow
#Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny
sshd : 10.8.*.* : deny
sshd : 10.9.*.* : deny
ALL : ALL : allow
dynamox
2 Intern
2 Intern
•
20.4K Posts
1
June 5th, 2015 17:00
in my test i allowed specific IPs and then last line was ALL : ALL : deny. Be careful not to clubber rpc ..make sure you allow all rpc or your might have issues with NFS clients.
T_Koopman
17 Posts
0
June 9th, 2015 07:00
still working on getting the KB to work the way I think it should. I am now working on a physical cluster running 7.1.1.2. The /etc/hosts.allow file stayed the same through the upgrade from 7.1.0.5 to 7.1.1.2. My understanding with my config is that all ssh sessions from the two networks I specify should be blocked, but they are not.
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
June 9th, 2015 07:00
here is my section, i only allow two specific IPs to ssh to this cluster. This is my virtual cluster.
ALL : n2isilonpoc-1 : allow
ALL : n2isilonpoc-2 : allow
ALL : n2isilonpoc-3 : allow
ALL : n2isilonpoc-4 : allow
ALL : n2isilonpoc-5 : allow
ALL : n2isilonpoc-6 : allow
sshd : localhost : allow
sshd : 10.140.13.36 : allow
sshd : 10.140.23.197 : allow
sshd : ALL : deny
Stdekart
104 Posts
0
June 12th, 2015 08:00
Hello Vgonzalez,
Access Zones and RBAC (Role based access) may also be a good option to complete this.
See Page 159 for a chapter on access zones, and page 179 for RBAC
https://support.emc.com/docu54199_OneFS-7.1.1-CLI-Administration-Guide.pdf?language=en_US
Please note in 7.1.1.x NFS must use the System Zone so editing the host file may be the only option.
One other thing comes to mind, you could restrict access on the network side. IE restrict 1GbE access to specific IP's.
Probably the best option would be to upgrade to 7.2.0.x
As an upgrade to 7.2.0.x, we have moved NFS to the likewise kernel. This allows NFS to use different access zones.
Allowing you to utilize the system zone and RBAC for you management. Then a separate 1 or 2 zones for client connections.
See page 167 for a chapter on access zones, and page 185 for a chapter on RBAC
https://support.emc.com/docu56048_OneFS-7.2-CLI-Administration-Guide.pdf?language=en_US
T_Koopman
17 Posts
0
June 16th, 2015 07:00
https://support.emc.com/kb/16602
All,
I was able to get the hosts.allow section of the above KB working with 7.1.1.2.
Dynamox thank you for your updates, they were very helpful.