Hi Timothy, > Does this have security issues since everyone can access the port and do cache reading/writing?
In addition to iptables rules, you can disable Thin/JDBC/ODBC protocols. More information you can get from [1] and corresponding references (setThinClientEnabled/setOdbcEnabled/setJdbcEnabled) in Javadoc [2]. In the other hand, you can disable the above port at all by setting ClientConnectorConfiguration to null in IgniteConfiguration. Also, as I see, IPv6 is used and I recommend you to read this section [3]. Links: 1. https://ignite.apache.org/docs/latest/thin-clients/getting-started-with-thin-clients#configuring-thin-client-connector 2. https://ignite.apache.org/releases/2.11.0/javadoc/org/apache/ignite/configuration/ClientConnectorConfiguration.html 3. https://ignite.apache.org/docs/latest/clustering/network-configuration#ipv4-vs-ipv6 чт, 18 нояб. 2021 г. в 12:32, Gianluca Bonetti <gianluca.bone...@gmail.com>: > Hello Timothy > > I usually add iptables rules on top of every deployment, to block access > from unknown locations to Apache Ignite and other services (Tomcat to name > one, and others) > > My typical iptables rules, embedded into /etc/rc.local looks like this: > > iptables -A INPUT -p tcp --match multiport --dport > 10800,10801,11211,47100:47109,47400:47409,47500:47509 -s 127.0.0.1 -j ACCEPT > iptables -A INPUT -p tcp --match multiport --dport > 10800,10801,11211,47100:47109,47400:47409,47500:47509 -s 10.192.192.192/26 > -j ACCEPT > iptables -A INPUT -p tcp --match multiport --dport > 10800,10801,11211,47100:47109,47400:47409,47500:47509 -j REJECT > > So connection to all Ignite ports (known to me) is permitted from > localhost, from private network space in the cloud, then forbidden from > anywhere else. > You may also want to limit other ports exposed to the wild you may notice > by netstat -nat > This is a simple solution, other experts may have better solutions, and > I'm also interested in them :) > > On the other hand, I noticed your running Ignite on IPv6, but I think > running on IPv4 is still preferred. > > Cheers > Gianluca > > Il giorno gio 18 nov 2021 alle ore 02:08 Timothy Peng <timosp...@gmail.com> > ha scritto: > >> Hello, >> >> I saw Ignite is listening on all interfaces by default: >> >> tcp6 0 0 :::10800 :::* >> LISTEN 3211/java >> >> >> Does this have security issues since everyone can access the port and do >> cache reading/writing? >> >> >> Thanks >> >
