RabbbitMQ, Mongo DB and Security

We have 2 linodes running with private ip enabled.

linode A (already running)

CENT OS 7

Private IP (dummy): 1.1.1.1 / 17

Configured to work as a web server with lamp

linode B (wip)

UBUNTU 16.04

Private IP (dummy): 1.1.1.2 / 17

Now we need to setup rabbitmq and mongodb on a separate linode and we decided to use linode B for this purpose. So we are trying to restrict access to mongodb and rabbitmq only from linode A. We taken the below steps to increase the security and looking some more guidance to make sure it's production ready.

1. Installed fail2ban

2. Configured the firewall to only accept incoming traffic from linode A IP

sudo ufw allow from 1.1.1.1/17 to any port 27017
sudo ufw allow from 1.1.1.1/17 to any port 5672

3. Added authentication to mongodb with user roles

4. Configured rabbitmq to work with vhost and user roles

Anything missing?

5. Is it necessary to SSL/TLS protect traffic in-between 2 linodes?

6. Is okay to add a nginix webserver and setup a reverse proxy to access rabbitmq web console via SSL?

Any suggestions or guidance greatly appreciated

Thank you

4 Replies

I've setup several clusters in linode by using the private IP network.

As far as I know, its private among the servers, so all you have to do, is force your services/daemons/processes to listen to the private IP address only (instead of 0.0.0.0 use your private IP).

There is no need for encryption or even authentication. But having said that, I always use authentication and various other restrictions. For example, in MariaDB, I don't do GRANT ALL, instead I give specific grants per user/database.

So fail2ban should be of no use. Even if your linode A is hacked, the attacker can easily read the authentication you use to connect to linode B, so your fail2ban on linode B will be useless.

Anyway, the first step is to make everything listen to the private IP, with the exception of SSH (if you want remote access directly).

Hi!

Thank you very much for the detailed response :)

> As far as I know, its private among the servers, so all you have to do, is force your services/daemons/processes to listen to the private IP address only (instead of 0.0.0.0 use your private IP).

> Anyway, the first step is to make everything listen to the private IP, with the exception of SSH (if you want remote access directly).

VERY INTERESTING……… I have experience configuring and securing webservers. But the whole private networking is new to me and am not that clear with all the terms :(. It would be helpful if you can point me to any documentation or any basic example?

Thank you!

well, I don't have any documentation to refer you to.

but you shouldn't have a problem making it work, because its just a bunch of IP addresses and nothing else.

for example:

boxA, eth0 has assigned: 1.1.1.1 (public) & 192.168.1.100 (private)

boxB, eth0 has assigned: 2.2.2.2 (public) & 192.168.1.200 (private)

from boxA you may ping boxB via:

ping 2.2.2.2

ping 192.168.1.200

In the first case, the routing table will pick eth0/1.1.1.1 for the packets and for the second case the routing table will pick eth0/192.168.1.100. So the choice its rather "automatic" based on the destination IP mask. So, if you just use the private IP addresses between the two servers, you are set. Everything will flow between them via the private link and none of that should be accessible from the outside.

If you are using CentOS 7, you may tell firewalld (via the firewall-cmd command) to match the private IP address to the "internal" zone and the public IP to the "block" or "drop" zones (depending on how aggressive you want to be). Thus internal connections won't be blocked by the default zone. Sorry I don't know about ubuntu since I only use CentOS 7 for my servers.

Thank you very much for your time and quick response! it make sense now, will give it a try the same with ubuntu.

Thanks again!!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct