You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ignite.apache.org by Timothy Peng <ti...@gmail.com> on 2021/11/18 01:08:37 UTC

security issues question

Hello,

I saw Ignite is listening on all interfaces by default:

tcp6       0      0 :::10800                :::*                    LISTEN
    3211/java


Does this have security issues since everyone can access the port and do
cache reading/writing?


Thanks

Re: security issues question

Posted by Shishkov Ilya <sh...@gmail.com>.

Hi  Timothy,
> Does this have security issues since everyone can access the port and do
cache reading/writing?

In addition to iptables rules, you can disable Thin/JDBC/ODBC protocols.
More information you can get from [1] and corresponding references
(setThinClientEnabled/setOdbcEnabled/setJdbcEnabled) in Javadoc [2].
In the other hand, you can disable the above port at all by setting
ClientConnectorConfiguration to null in IgniteConfiguration.
Also, as I see, IPv6 is used and I recommend you to read this section [3].

Links:
1.
https://ignite.apache.org/docs/latest/thin-clients/getting-started-with-thin-clients#configuring-thin-client-connector
2.
https://ignite.apache.org/releases/2.11.0/javadoc/org/apache/ignite/configuration/ClientConnectorConfiguration.html
3.
https://ignite.apache.org/docs/latest/clustering/network-configuration#ipv4-vs-ipv6

чт, 18 нояб. 2021 г. в 12:32, Gianluca Bonetti <gi...@gmail.com>:

> Hello Timothy
>
> I usually add iptables rules on top of every deployment, to block access
> from unknown locations to Apache Ignite and other services (Tomcat to name
> one, and others)
>
> My typical iptables rules, embedded into /etc/rc.local looks like this:
>
> iptables -A INPUT -p tcp --match multiport --dport
> 10800,10801,11211,47100:47109,47400:47409,47500:47509 -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p tcp --match multiport --dport
> 10800,10801,11211,47100:47109,47400:47409,47500:47509 -s 10.192.192.192/26
> -j ACCEPT
> iptables -A INPUT -p tcp --match multiport --dport
> 10800,10801,11211,47100:47109,47400:47409,47500:47509 -j REJECT
>
> So connection to all Ignite ports (known to me) is permitted from
> localhost, from private network space in the cloud, then forbidden from
> anywhere else.
> You may also want to limit other ports exposed to the wild you may notice
> by netstat -nat
> This is a simple solution, other experts may have better solutions, and
> I'm also interested in them :)
>
> On the other hand, I noticed your running Ignite on IPv6, but I think
> running on IPv4 is still preferred.
>
> Cheers
> Gianluca
>
> Il giorno gio 18 nov 2021 alle ore 02:08 Timothy Peng <ti...@gmail.com>
> ha scritto:
>
>> Hello,
>>
>> I saw Ignite is listening on all interfaces by default:
>>
>> tcp6       0      0 :::10800                :::*
>> LISTEN      3211/java
>>
>>
>> Does this have security issues since everyone can access the port and do
>> cache reading/writing?
>>
>>
>> Thanks
>>
>

Re: security issues question

Posted by Gianluca Bonetti <gi...@gmail.com>.

Hello Timothy

I usually add iptables rules on top of every deployment, to block access
from unknown locations to Apache Ignite and other services (Tomcat to name
one, and others)

My typical iptables rules, embedded into /etc/rc.local looks like this:

iptables -A INPUT -p tcp --match multiport --dport
10800,10801,11211,47100:47109,47400:47409,47500:47509 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --match multiport --dport
10800,10801,11211,47100:47109,47400:47409,47500:47509 -s 10.192.192.192/26
-j ACCEPT
iptables -A INPUT -p tcp --match multiport --dport
10800,10801,11211,47100:47109,47400:47409,47500:47509 -j REJECT

So connection to all Ignite ports (known to me) is permitted from
localhost, from private network space in the cloud, then forbidden from
anywhere else.
You may also want to limit other ports exposed to the wild you may notice
by netstat -nat
This is a simple solution, other experts may have better solutions, and I'm
also interested in them :)

On the other hand, I noticed your running Ignite on IPv6, but I think
running on IPv4 is still preferred.

Cheers
Gianluca

Il giorno gio 18 nov 2021 alle ore 02:08 Timothy Peng <ti...@gmail.com>
ha scritto:

> Hello,
>
> I saw Ignite is listening on all interfaces by default:
>
> tcp6       0      0 :::10800                :::*                    LISTEN
>     3211/java
>
>
> Does this have security issues since everyone can access the port and do
> cache reading/writing?
>
>
> Thanks
>