Just came down to also suggest the following for security : Use hosts.allow and hosts.deny command in Linux.
R. A. BTW, there is a website called Thank God it's Friday! It tells you fun things to do in your area over the weekend. See here: http://www.ThankGodItIsFriday.com On 8 Apr 2013 16:50, "Ravindranath Akila" <[email protected]> wrote: > There's more to do (just in case someone concludes the configs are final). > I'm working on multicast packets right now. I'll let you guys know if I > manage to get everything working. > > I'm curious though, how do you guys handle the security concerns on the > cloud? > > Thanks! > > > On Mon, Apr 1, 2013 at 5:13 AM, Mahadev Konar <[email protected]>wrote: > >> Nice work Ravindra. >> Yes, DB ports need to be open as well. >> >> >> thanks >> mahadev >> >> >> On Fri, Mar 29, 2013 at 6:29 AM, Ravindranath Akila < >> [email protected]> wrote: >> >>> Hey Paulo, >>> Thanks your response helped me a lot. So what I did is, enabled >>> firewall logs and checked what requests were getting rejected and dropped. >>> Later I figured it is too much of configuration(so many ports!). So what I >>> did was, allowed all machines on the cluster to communicate with each other >>> without interference and reject all outside traffic. The following rules on >>> the /etc/sysconfig/iptables worked: >>> >>> >>> *filter >>> :INPUT ACCEPT [0:0] >>> :FORWARD ACCEPT [0:0] >>> :OUTPUT ACCEPT [0:0] >>> >>> -A INPUT -s <IP1> -j ACCEPT >>> -A INPUT -s <IP2> -j ACCEPT >>> -A INPUT -s <IP3> -j ACCEPT >>> .... >>> -A INPUT -s <IPN> -j ACCEPT >>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >>> -P INPUT DROP >>> -P FORWARD DROP >>> >>> >>> COMMIT >>> >>> where <IP1> <IP2> <IP3> <IPN> are the ips of the machines in the cluster. >>> >>> However, the node which contains ambari-server, and nothing else, does >>> not like this. So part of the security concerns is taken cared of, as all >>> the rest of the cluster nodes is open only to each other. But how I goes >>> about with the ambari-server node, I need to figure out. Any idea why this >>> might be the case? DB Port needs to be open maybe? >>> >>> >>> >>> >>> On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital < >>> [email protected]> wrote: >>> >>>> Hello Ravindranath, >>>> >>>> About what I could understand of Ambari's design, iptables can block >>>> some ports used between server and a client (agent nodes) during the >>>> client's registration step, as well the heartbeat communication during the >>>> execution of cluster. Also, there is the port of the web UI provided by >>>> ambari-web on server, and there are some portds (I never remember the >>>> numbers) that Nagios uses to provide some components' web UI on clients. >>>> >>>> I guess you can create iptables rules for all these ports on both >>>> server and client sides. May be the ambari-server and ambari-agent can >>>> check the iptables rules and create them if not running. I was talking with >>>> a friend yesterday regarding this "missing feature" - my intention is not >>>> create a flame here guys :-D !!! >>>> >>>> Now, regarding the SELinux I don't know the restriction it imposes on >>>> Ambari, so I can't help you on this - I must study this part :-D. >>>> >>>> I hope this help you! >>>> Regards, Paulo. >>>> >>>> >>>> On 03/27/2013 12:18 AM, Ravindranath Akila wrote: >>>> >>>>> Actually, how does iptables and SELinux interfere with Ambari? If I >>>>> know >>>>> that, maybe I can look for a workaround. Thanks in advance. >>>>> >>>>> Yours, >>>>> Ravindranath Akila... >>>>> >>>>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila >>>>> <[email protected] >>>>> <mailto:ravindranathakila@**gmail.com<[email protected]>>> >>>>> wrote: >>>>> >>>>> I am tempted to do that or go for a physical firewall on Rackspace >>>>> for 25k per month :-) >>>>> My exposure to shell scripting is bad :-( Where can I grab the >>>>> code? >>>>> >>>>> Thanks! >>>>> >>>>> R. A. >>>>> >>>>> On 26 Mar 2013 01:44, "Mahadev Konar" <[email protected] >>>>> <mailto:mahadev@hortonworks.**com <[email protected]>>> >>>>> wrote: >>>>> >>>>> Hi Ravindra, >>>>> Currently there isnt but it should be a minor change to the >>>>> scripts. Do you want to file a jira and maybe upload a patch? >>>>> :) >>>>> We could switch it off with a flag option. >>>>> >>>>> thanks >>>>> mahadev >>>>> >>>>> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila >>>>> <[email protected] >>>>> >>>>> <mailto:ravindranathakila@**gmail.com<[email protected]>>> >>>>> wrote: >>>>> >>>>> Hello, >>>>> Is there a workaround for disabling iptables and >>>>> SELinux? >>>>> I'm exploring the options of securing the cluster in the >>>>> cloud without a physical firewall. Any suggestions would be >>>>> great! >>>>> >>>>> Thanks in advance :-) >>>>> >>>>> Yours, >>>>> Ravindranath Akila... >>>>> >>>>> -- >>>>> <http://www.ILikePlaces.com> >>>>> *Find out on I Like Places* <http://www.ILikePlaces.com> >>>>> *http://www.ILikePlaces.com* >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> <http://www.ILikePlaces.com> >>>>> *Find out on I Like Places* <http://www.ILikePlaces.com> >>>>> *http://www.ILikePlaces.com* >>>>> >>>> >>>> >>>> -- >>>> Paulo Ricardo Paz Vital, Staff Software Engineer >>>> Linux Technology Center, IBM Systems & Technology Group >>>> ------------------------------**------------------------- >>>> IBM >>>> Rodovia SP101, km9 - ZIP: 13186-900 >>>> Hortolândia, SP - Brazil >>>> Phone: +55-19-2132-2336 >>>> e-mail: [email protected] >>>> http://www.ibm.com/linux/ltc >>>> >>>> >>> >>> >>> -- >>> <http://www.ILikePlaces.com> >>> *Find out on I Like Places* <http://www.ILikePlaces.com> >>> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com> >>> >> >> > > > -- > <http://www.ILikePlaces.com> > *Find out on I Like Places* <http://www.ILikePlaces.com> > *http://www.ILikePlaces.com* <http://www.ILikePlaces.com> >
