Skip to content

IsardVDI Security concerns

By default IsardVDI will open some container ports to the public world (as they could be required in complex infrastructure installations:

      Name                    Command               State                       Ports                     
isard-api          python3                 Up>7039/tcp                        
isard-backend      /backend                         Up>1312/tcp, 8080/tcp              
isard-db           rethinkdb --bind all             Up      28015/tcp, 29015/tcp,>8080/tcp  
isard-engine       /usr/bin/supervisord -c /e ...   Up                                                    
isard-grafana      /sbin/tini -- /bin/bash /r ...   Up>2004/tcp,>3000/tcp
isard-hypervisor   sh                        Up>22/tcp                          
isard-portal       / hapr ...   Up>443/tcp,>80/tcp      
isard-redis redis ...   Up      6379/tcp                                      
isard-squid        /bin/sh /                  Up                                                    
isard-static       / ngin ...   Up      80/tcp                                        
isard-stats        python3                   Up                                                    
isard-webapp       /usr/bin/supervisord -c /e ...   Up      5000/tcp                                      
isard-websockify   /websockify                      Up       

This will lead to a compromised system in terms of security as the only visible ports outside world should be 80 and 443.

To apply a base security to your installation you have some example scripts for Debian 10 at sysadm folder:

  • This is not a security script, it is only the first thing you should do: install docker & docker-compose
  • This will do many things:
  • Install fail2ban
  • Install firewalld
  • Modify Debian 10 firewalld default nf_tables to old iptables behaviour. This is required in newer OS (centos 8 also) till we got a working configuration for nfs_tables ;-)
  • Remove all existing firewalld configurations and apply the required for an IsardVDI server:
    • Add masquerade to avoid exposing all docker ports to outside world
    • Allow for ssh (default port 22) access to the server. WARNING: You should modify the script if you are using another port!!!!
    • Allow ports 80 and 443 for normal IsardVDI operation (this are the only two ports required for IsardVDI)
    • Restart firewalld, fail2ban and docker services to apply configuration

Last update: April 18, 2023