FOG hardening



  • Hi,

    I want to run FOG with the absolute minimum of open ports. My FOG setup runs as a stand-alone (all on one machine) instance. I only want to use it for imaging with no additional services.

    I’ve read this article: https://wiki.fogproject.org/wiki/index.php?title=FOG_security and by default FOG requires quite a few open ports. Are all these ports essential for my minimal scenario?

    I’m also running FOG on a system with 2 network interfaces. I would like the management website only to be available on 1 NIC and the actual imaging on the other NIC, is this a solution that could work and how can achieve that?

    Thanks for your help!



  • Great, thanks for your feedback! I will try your suggestions and will post the results here on the forum.


  • Moderator

    For imaging to only be available on one NIC, you’d setup your storage node with that one NIC’s information (interface name and IP).

    If you’re using firewalld, you can drop the samba ports. FOG doesn’t use samba by default but there are add ons for it.

    FOG uses http to communicate with the fog clients, it’s how tasks get marked as done, it’s how clients know there are tasks waiting, it’s how the FOG-Client software gets information from the server. So you cannot block http and FOG still work.

    FOG is a marriage of many, many different layers of technology and the OSI model, all at once.

    Some common sense stuff - don’t use pre-existing or simple passwords for the web management interface, and don’t use your real administrative credentials for domain joining, use a limited stripped down account for that.


  • Moderator

    For proper imaging to work, you do need to have certain ports open. A typical fog image deployment uses tftp, http, nfs, and ftp. So at a minimum you will need to have these ports open. If you restrict these ports to a specific subnet range then you can increase the security a bit. But these ports must be open to capture and deploy images.

    As for the fog on 2 network interfaces, that is not typically done. But without thinking to hard it could be done as long as the interfaces are on different subnets. On your imaging port you need to have open the protocols I mentioned above. On your management port you can restrict all ports except port 80.


Log in to reply
 

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.