- Català: Aquesta pàgina no està traduida encara al català.
- Castellano: Esta página no está traducida aún al castellano.
IsardVDI Security concerns¶
By default IsardVDI will open some container ports to the public world (as they could be required in complex infrastructure installations:
Name Command State Ports
----------------------------------------------------------------------------------------------------------
isard-api python3 start.py Up 0.0.0.0:7039->7039/tcp
isard-backend /backend Up 0.0.0.0:1312->1312/tcp, 8080/tcp
isard-db rethinkdb --bind all Up 28015/tcp, 29015/tcp, 0.0.0.0:8080->8080/tcp
isard-engine /usr/bin/supervisord -c /e ... Up
isard-grafana /sbin/tini -- /bin/bash /r ... Up 0.0.0.0:2004->2004/tcp, 0.0.0.0:3000->3000/tcp
isard-hypervisor sh run.sh Up 0.0.0.0:2022->22/tcp
isard-portal /docker-entrypoint.sh hapr ... Up 0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
isard-redis docker-entrypoint.sh redis ... Up 6379/tcp
isard-squid /bin/sh /run.sh Up
isard-static /docker-entrypoint.sh ngin ... Up 80/tcp
isard-stats python3 run.py Up
isard-webapp /usr/bin/supervisord -c /e ... Up 5000/tcp
isard-websockify /websockify Up
This will lead to a compromised system in terms of security as the only visible ports outside world should be 80 and 443.
To apply a base security to your installation you have some example scripts for Debian 10 at sysadm folder:
- debian_docker.sh: This is not a security script, it is only the first thing you should do: install docker & docker-compose
- debian_firewall.sh: This will do many things:
- Install fail2ban
- Install firewalld
- Modify Debian 10 firewalld default nf_tables to old iptables behaviour. This is required in newer OS (centos 8 also) till we got a working configuration for nfs_tables ;-)
- Remove all existing firewalld configurations and apply the required for an IsardVDI server:
- Add masquerade to avoid exposing all docker ports to outside world
- Allow for ssh (default port 22) access to the server. WARNING: You should modify the script if you are using another port!!!!
- Allow ports 80 and 443 for normal IsardVDI operation (this are the only two ports required for IsardVDI)
- Restart firewalld, fail2ban and docker services to apply configuration
Last update:
April 18, 2023