mysql open ports on FOG server

DBCountMan · May 18, 2022, 8:10 PM

Doing some routine security checkups on our FOG server. Noticed the mysql TCP 3306 is open. Does this need to be open for FOG to function properly?

george1421 · May 18, 2022, 9:12 PM

@brakcounty if you have storage nodes, yes. If you only have one fog server then no it doesn’t need to be open. If you need to clamp down on that port you can define firewall rules to limit who/what can connect to that port.

DBCountMan · May 19, 2022, 3:52 PM

@george1421 We dont have Storage Nodes (yet). But I do run a cronjob on my secondary FOG server that pulls mysql db from the primary, basic backup job. Will locking down the mysql port prevent this function?

george1421 · May 19, 2022, 4:46 PM

@brakcounty said in mysql open ports on FOG server:

Will locking down the mysql port prevent this function?

It depends on how you collect the info from the primary database? If you are using sqldump running on the primary server and then using scp to copy the information over to the secondary then it should be OK to lock down the port. If you are using sqldump on this server to push the info to the remote server using the mysql protocol then you will run into an issue.

Having an open port 3306 allows external devices to communicate with the mysql database and your fog instance if a weak password was used. FOG doesn’t use weak passwords so this would have been someone you would have done.

DBCountMan · May 19, 2022, 5:10 PM

@george1421 These are the commands that I run on my secondary to pull from the primary:

mysqldump --defaults-file=/root/.my.cnf -h fogserver -u fogstorage fog hosts hostMAC moduleStatusByHost --single-transaction > /root/fog_hosts.sql
mysqldump --defaults-file=/root/.my.cnf -h fogserver -u fogstorage fog images --single-transaction > /root/fog_images.sql

george1421 · May 19, 2022, 5:28 PM

@brakcounty yes that uses port 3306. If you have a debian or ubuntu based fog server you can create a ufw rule to only allow fog server 2 to communicate with fog server 1 on port 3306

something like

ufw allow from <fog_server_2_ip> to any port 3306 proto tcp

That command would be run on fog server #1 FOG server #2 doesn’t need port 3306 unless you are connecting to it from server 3.

DBCountMan · May 19, 2022, 5:30 PM

@george1421 Oh ok perfect! I’d do that on the primary FOG server right?

EDIT didnt see your example. Thanks!

DBCountMan · May 19, 2022, 7:47 PM

@george1421 If I enable ufw, that means I would also have to define rules to allow other things such as ssh, nfs, and http right?

Wayne Workman · May 19, 2022, 8:03 PM

@brakcounty I’d suggest doing some internet searching before asking general linux questions.

https://duckduckgo.com/?q=ubuntu+ufw+default+rules&t=ffab&ia=web

First result and second result both have the answer.

DBCountMan · May 20, 2022, 1:37 PM

@wayne-workman Thanks. Sorry about that.

DBCountMan · May 20, 2022, 8:04 AM

@george1421 Is there a document or list of ports/services that FOG requires to be allowed on a firewall?

george1421 · May 20, 2022, 2:42 PM

@brakcounty Here is a list that one of the developers created a while ago. Its still relevant so you should be able to use it as a basis of your settings:
https://forums.fogproject.org/topic/6162/firewall-configuration

If you use multicast imaging then you will need to take some additional steps.

DBCountMan · May 20, 2022, 2:00 PM

@george1421 Got it. I set up the rules using ufw with the ports from that list. I only tested a Full Reg and Inv so far. It hangs on Running Init Scripts for while then skips it, I think that is the script that pulls the serial number from the bios and auto-populates it as the hostname. I confirmed this when I disabled ufw and that step went right through without delay.

mysql open ports on FOG server

205

12.0k

17.3k

155.2k