mysql open ports on FOG server
-
Doing some routine security checkups on our FOG server. Noticed the mysql TCP 3306 is open. Does this need to be open for FOG to function properly?
-
@brakcounty if you have storage nodes, yes. If you only have one fog server then no it doesn’t need to be open. If you need to clamp down on that port you can define firewall rules to limit who/what can connect to that port.
-
@george1421 We dont have Storage Nodes (yet). But I do run a cronjob on my secondary FOG server that pulls mysql db from the primary, basic backup job. Will locking down the mysql port prevent this function?
-
@brakcounty said in mysql open ports on FOG server:
Will locking down the mysql port prevent this function?
It depends on how you collect the info from the primary database? If you are using sqldump running on the primary server and then using scp to copy the information over to the secondary then it should be OK to lock down the port. If you are using sqldump on this server to push the info to the remote server using the mysql protocol then you will run into an issue.
Having an open port 3306 allows external devices to communicate with the mysql database and your fog instance if a weak password was used. FOG doesn’t use weak passwords so this would have been someone you would have done.
-
@george1421 These are the commands that I run on my secondary to pull from the primary:
mysqldump --defaults-file=/root/.my.cnf -h fogserver -u fogstorage fog hosts hostMAC moduleStatusByHost --single-transaction > /root/fog_hosts.sql mysqldump --defaults-file=/root/.my.cnf -h fogserver -u fogstorage fog images --single-transaction > /root/fog_images.sql -
@brakcounty yes that uses port 3306. If you have a debian or ubuntu based fog server you can create a ufw rule to only allow fog server 2 to communicate with fog server 1 on port 3306
something like
ufw allow from <fog_server_2_ip> to any port 3306 proto tcpThat command would be run on fog server #1 FOG server #2 doesn’t need port 3306 unless you are connecting to it from server 3.
-
@george1421 Oh ok perfect! I’d do that on the primary FOG server right?
EDIT didnt see your example. Thanks!
-
@george1421 If I enable ufw, that means I would also have to define rules to allow other things such as ssh, nfs, and http right?
-
@brakcounty I’d suggest doing some internet searching before asking general linux questions.
https://duckduckgo.com/?q=ubuntu+ufw+default+rules&t=ffab&ia=web
First result and second result both have the answer.
-
@wayne-workman Thanks. Sorry about that.
-
@george1421 Is there a document or list of ports/services that FOG requires to be allowed on a firewall?
-
@brakcounty Here is a list that one of the developers created a while ago. Its still relevant so you should be able to use it as a basis of your settings:
https://forums.fogproject.org/topic/6162/firewall-configurationIf you use multicast imaging then you will need to take some additional steps.
-
@george1421 Got it. I set up the rules using ufw with the ports from that list. I only tested a Full Reg and Inv so far. It hangs on Running Init Scripts for while then skips it, I think that is the script that pulls the serial number from the bios and auto-populates it as the hostname. I confirmed this when I disabled ufw and that step went right through without delay.
