Documentation

Hardening Security

  1. To implement two-node HA, you need to deploy two devices under the same gateway and ensure that the two devices can communicate with each other. Properly plan the network, and protect and harden the gateway security.
  2. The HA function can be implemented only when the system network is configured and can be accessed. Therefore, cap_net_admin and cap_net_raw need to be added to the Keepalived binary file. Run HA as the MindXEdge user (user ID: 1024) with low permissions instead of the root user or using other insecure capability sets.
  3. The HA service requires VIP modification and split-brain check. Common users need to run the ping and arping commands. Therefore, the preceding commands require privilege capabilities and have low security risks. If the HA service is unnecessary for the edge device, you need to remove the privilege capabilities configured for related files (such as keepalived, ping, and arping) to reduce security risks.
  4. The HA service cannot send VRRP packets in unicast mode. When configuring for two-node clusters, you need to configure the heartbeat IP address of the peer device. After the configuration, you are advised to use the iptables mechanism to set the IP address trustlist to reduce security risks. Perform the following operations to configure the iptables IP address trustlist:
    1. Log in to the edge device as the root user. In the following commands, {src_ip} is the name of the local heartbeat NIC, and {peer_ip} is the IP address of the peer heartbeat NIC.
      iptables -A INPUT -p vrrp ! -s {peer_ip} -j DROP
iptables -A INPUT ! -d {src_ip} -p vrrp -j DROP
iptables -A OUTPUT ! -s {src_ip} -p vrrp -j DROP
iptables -A OUTPUT -p vrrp ! -d {peer_ip} -j DROP
    2. (Optional) If the HA function is no longer used, perform the following operations to remove the configured iptables rules:
      1. Run the following command to query the configured rules:
        iptables -L --line-number | grep vrrp
        The following is an example of the query result:
        {input_num}    DROP     vrrp --  !192.168.XX.XX          anywhere
{output_num}   DROP     vrrp --  anywhere             !192.168.XX.XX
      2. Run the following commands in sequence to delete the rules:
        iptables -D INPUT {input_num}
iptables -D OUTPUT {output_num}

        {input_num} and {output_num} are the serial numbers of the rules obtained by the preceding query commands. Each time a rule is deleted from an iptables table, the serial numbers of other rules in the same table will change. In this case, run the query command again to obtain the corresponding serial numbers.