OneFS vesion 7.1.1.2 shut-off management

OneFS Web Administration or Command Line interfaces are accessible through normal IP communication over any link.  There is no configuration option to restrict the administration access to specific ports, as anyone with the root or admin authentication can plug in an IP address directly to reach the cluster.

One alternative is to configure a SmartConnect pool as an administrative pool.  Administrators seeking to address the Web Administration Interface would use that cluster name for access, (Example: adminIsilon.company.com).  Then add only the interfaces you want to use for administration.  This does not prevent users from inputting an IP address of any node directly, but would rather be a practice that would produce the desired result.

If there is truly a security concern, administration is dependent on certain services such as the sshd and apached services operating.  By shutting these off, you remove administration capabilities for the node entirely.  Note this is not available per interface, but for the whole node.  A serial console will continue to work otherwise. 

dynamox,

That is a great option and one that is still available.  I was trying to think of the buttons and switches available in the Isilon interfaces or RBAC etc.  As usual though there are some steps you can do with Linux to restrict routing, modify the hosts.allow etc.  However I don't believe there is a documented method, more a bit of tinkering needed to accomplish the task. 

https://support.emc.com/kb/16602

This KB states 6.5 and earlier, why is that and what changed ? Will the same procedure work ( i guess i could try on my virtual instance).

Chris,

In OneFS 6.5 i was able to lock down access to sshd and apache using hosts.allow , is that functionality still available and "supported" in 7.x ?  As a service provider i would love to be able to lock down management interfaces to specific systems, i have too many college kids with too much time on their hands trying to brute force ssh access to my cluster.

I have similar issues, I would like to be able to shut off any admin function from interfaces connected to access zones that are DMZ facing.    I am testing with 7.1.1.2 virtual instance and found that the KB dynamox referenced does not prevent ssh access to the smart connect IP.  I was using the host.allow to restrict access via ssh from specific networks.

Dynamox  did you try on your virtual instance?

i did, it works (7.1.0.1)

based on my findings with Vitual Isilon 7.1.1.2   Wrapping sshd to deny networks  did not work when connecting to the smart connect IP.

Below is a section of my /etc/hosts.allow

#ALL : ALL : allow

#Wrapping sshd(8) is not normally a good idea, but if you

# need to do it, here's how

#sshd : .evil.cracker.example.com : deny

sshd : 10.8.*.* : deny

sshd : 10.9.*.* : deny

ALL : ALL : allow

in my test i allowed specific IPs and then last line was ALL : ALL : deny. Be careful not to clubber rpc ..make sure you allow all rpc or your might have issues with NFS clients.

still working on getting the KB to work the way I think it should.   I am now working on a physical cluster running 7.1.1.2.   The /etc/hosts.allow file stayed the same through the upgrade from 7.1.0.5 to 7.1.1.2.   My understanding with my config is that all ssh sessions from the two networks I specify should be blocked, but they are not.  

here is my section, i only allow two specific IPs to ssh to this cluster. This is my virtual cluster.

ALL : n2isilonpoc-1 : allow

ALL : n2isilonpoc-2 : allow

ALL : n2isilonpoc-3 : allow

ALL : n2isilonpoc-4 : allow

ALL : n2isilonpoc-5 : allow

ALL : n2isilonpoc-6 : allow

sshd : localhost : allow

sshd : 10.140.13.36 : allow

sshd : 10.140.23.197 : allow

sshd : ALL : deny

Hello Vgonzalez,

Access Zones and RBAC (Role based access) may also be a good option to complete this.

See Page 159 for a chapter on access zones, and page 179 for RBAC

https://support.emc.com/docu54199_OneFS-7.1.1-CLI-Administration-Guide.pdf?language=en_US

Please note in 7.1.1.x NFS must use the System Zone so editing the host file may be the only option.

One other thing comes to mind, you could restrict access on the network side. IE restrict 1GbE access to specific IP's.

Probably the best option would be to upgrade to 7.2.0.x

As an upgrade to 7.2.0.x, we have moved NFS to the likewise kernel. This allows NFS to use different access zones.

Allowing you to utilize the system zone and RBAC for you management. Then a separate 1 or 2 zones for client connections.

See page 167 for a chapter on access zones, and page 185 for a chapter on RBAC

https://support.emc.com/docu56048_OneFS-7.2-CLI-Administration-Guide.pdf?language=en_US

https://support.emc.com/kb/16602

All,

I was able to get the hosts.allow section of the above KB working with 7.1.1.2.

Dynamox thank you for your updates, they were very helpful.