• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    FOG hardening

    Scheduled Pinned Locked Moved
    FOG Problems
    3
    4
    979
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      martijnv
      last edited by

      Hi,

      I want to run FOG with the absolute minimum of open ports. My FOG setup runs as a stand-alone (all on one machine) instance. I only want to use it for imaging with no additional services.

      I’ve read this article: https://wiki.fogproject.org/wiki/index.php?title=FOG_security and by default FOG requires quite a few open ports. Are all these ports essential for my minimal scenario?

      I’m also running FOG on a system with 2 network interfaces. I would like the management website only to be available on 1 NIC and the actual imaging on the other NIC, is this a solution that could work and how can achieve that?

      Thanks for your help!

      1 Reply Last reply Reply Quote 1
      • george1421G
        george1421 Moderator
        last edited by

        For proper imaging to work, you do need to have certain ports open. A typical fog image deployment uses tftp, http, nfs, and ftp. So at a minimum you will need to have these ports open. If you restrict these ports to a specific subnet range then you can increase the security a bit. But these ports must be open to capture and deploy images.

        As for the fog on 2 network interfaces, that is not typically done. But without thinking to hard it could be done as long as the interfaces are on different subnets. On your imaging port you need to have open the protocols I mentioned above. On your management port you can restrict all ports except port 80.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        1 Reply Last reply Reply Quote 1
        • Wayne WorkmanW
          Wayne Workman
          last edited by

          For imaging to only be available on one NIC, you’d setup your storage node with that one NIC’s information (interface name and IP).

          If you’re using firewalld, you can drop the samba ports. FOG doesn’t use samba by default but there are add ons for it.

          FOG uses http to communicate with the fog clients, it’s how tasks get marked as done, it’s how clients know there are tasks waiting, it’s how the FOG-Client software gets information from the server. So you cannot block http and FOG still work.

          FOG is a marriage of many, many different layers of technology and the OSI model, all at once.

          Some common sense stuff - don’t use pre-existing or simple passwords for the web management interface, and don’t use your real administrative credentials for domain joining, use a limited stripped down account for that.

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
          Daily Clean Installation Results:
          https://fogtesting.fogproject.us/
          FOG Reporting:
          https://fog-external-reporting-results.fogproject.us/

          1 Reply Last reply Reply Quote 0
          • M
            martijnv
            last edited by

            Great, thanks for your feedback! I will try your suggestions and will post the results here on the forum.

            1 Reply Last reply Reply Quote 1
            • 1 / 1
            • First post
              Last post

            242

            Online

            12.0k

            Users

            17.3k

            Topics

            155.2k

            Posts
            Copyright © 2012-2024 FOG Project