We have one of our websites up and running on our Nautilus infrastructure in Stratos DC. Our security team has raised a concern that right now Apache’s port i.e 5002 is open for all since there is no firewall installed on these hosts. So we have decided to add some security layer for these hosts and after discussions and recommendations we have come up with the following requirements:
1. Install iptables and all its dependencies on each app host.
2. Block incoming port 5002 on all apps for everyone except for LBR host.
3. Make sure the rules remain, even after the system reboot.
sample Answer:
#login to a app server
ssh <user>@<app-server-IP>
#switch to root user
sudo su
#install iptables and its dependencies
yum -y install iptables-services
#enable, start the Iptables and check the status
sysetemctl enable iptables
systemctl start iptables
systemctl status iptables
#now verify the iptable rules before change anything
cat /etc/sysconfig/iptables
*it will show you the list of ACCEPT rules and DROP rules
#now let's add iptables rules as per question
##by the below rule we are allowing the LBR host to access the app server
iptables -R INPUT 5 -p tcp --destination-port <port from your question> -s 172.16.238.14 -j ACCEPT
##by the below rule we are blocking the access to app server
iptables -A INPUT -p tcp --destination-port <port from your question> -j DROP
#save the rules
service iptables save
*AS PER THE QUESTION YOU MUST DO ALL THE ABOVE STEPS ON ALL THE APP SERVERS.
##final testing/verification
#login to LBR host
ssh <user>@<LBR-server>
#run below commands
telnet <app-server-02 -IP> <port from your question>
telnet <app-server-03 -IP> <port from your question>
curl <app-server-02 -IP>:<port from your question>
curl <app-server-03 -IP>:<port from your question>
*Please comment on this post if you are facing any issues in the steps, also provide your feedback in the comments :)
No comments:
Post a Comment