Why are you not using Access Zones at OneFS? SSH (and WebUI access of course too) is zone-aware and it is not working in other Access Zones than the system Zone.
Thanks for the reply Phil. I am using Access Zones. Unfortunately in my case SSH (and WebUI, etc) do not seem to be zone-aware. All of the subnets that are on zones other than system Zone still have SSH and all the other management ports open. I'm running v8.0.0.4. Is that not the expected behavior?
The ports may be open, but the WebUI, PAPI, and SSH won't work on any access zone but system. Now keep in mind that that's how it is now, maybe that'll change one day as an enhancement. I say an enhancement because NFS, SMB, and HDFS are access-zone aware, but there is certainly a desire to in multi-tenant shops let each tenant manage their own environment. If you're making it external-network facing, then just ask the network team block the TCP ports.
Thanks for clearing this up some Chris. It does appear that the SSH port is open and allowing connections, but when I attempt connect I get authentication failed. That said the public IP address for the SmartConnect service DOES allow my SSH connection through. So Access Zones do prevent SSH connections via failed authentication but they do not prevent them from the subnet's SmartConnect IP.
Unfortunately there is no firewall so having the TCP ports blocked is not an option.
If you have a smart/managed switch, then a firewall isn't necessary to apply an ACL. You just block the 1 port (TCP 22), and then allow everything else.
To actually shut it off on the storage system itself, you would need to ask your DellEMC Isilon account team to file a Feature Enhancement request on your behalf.
philippspohr
1 Rookie
•
107 Posts
1
October 18th, 2017 02:00
Why are you not using Access Zones at OneFS? SSH (and WebUI access of course too) is zone-aware and it is not working in other Access Zones than the system Zone.
ZBoT
1 Rookie
•
41 Posts
0
October 18th, 2017 04:00
Thanks for the reply Phil. I am using Access Zones. Unfortunately in my case SSH (and WebUI, etc) do not seem to be zone-aware. All of the subnets that are on zones other than system Zone still have SSH and all the other management ports open. I'm running v8.0.0.4. Is that not the expected behavior?
crklosterman
450 Posts
0
October 18th, 2017 12:00
The ports may be open, but the WebUI, PAPI, and SSH won't work on any access zone but system. Now keep in mind that that's how it is now, maybe that'll change one day as an enhancement. I say an enhancement because NFS, SMB, and HDFS are access-zone aware, but there is certainly a desire to in multi-tenant shops let each tenant manage their own environment. If you're making it external-network facing, then just ask the network team block the TCP ports.
~Chris
ZBoT
1 Rookie
•
41 Posts
0
October 19th, 2017 04:00
Thanks for clearing this up some Chris. It does appear that the SSH port is open and allowing connections, but when I attempt connect I get authentication failed. That said the public IP address for the SmartConnect service DOES allow my SSH connection through. So Access Zones do prevent SSH connections via failed authentication but they do not prevent them from the subnet's SmartConnect IP.
Unfortunately there is no firewall so having the TCP ports blocked is not an option.
Is there no other way?
crklosterman
450 Posts
1
October 20th, 2017 13:00
If you have a smart/managed switch, then a firewall isn't necessary to apply an ACL. You just block the 1 port (TCP 22), and then allow everything else.
Here's how to do it on a Cisco Nexus BTW:
Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 4.1 - Configuring IP ACLs [Cisco Nexus 7000 Series S…
To actually shut it off on the storage system itself, you would need to ask your DellEMC Isilon account team to file a Feature Enhancement request on your behalf.
~Chris
ZBoT
1 Rookie
•
41 Posts
0
October 24th, 2017 10:00
Thanks Chris! That's a good idea. I will look into it.