A newer version of this documentation is available.

View Latest

Network and ACLs

    +
    Attaining a fully secure Couchbase Server network-environment requires the proper configuration of IP tables and ports; the use of IPSec; the establishment of firewalls; the limiting of access to critical files; and the secure maintenance of passwords.

    Establishing Firewalls and Protecting Files

    The following measures are strongly recommended:

    • Set up a firewall to block epmd port 4369 from access from outside the cluster-network.

    • Set up a firewall to block erlang ports from access from outside the cluster-network. These ports are configurable: in the default installation, their range is: 21100 to 21299.

    • Restrict access to the following directories:

      • On Linux: /opt/couchbase

      • On Mac OS X: /Users/<user>/Library/Application Support/Couchbase/var/lib/couchbase, and /Applications/Couchbase Server.app/Contents/Resources/couchbase-core

      • On Windows (assuming the default installation-location has been used): C:\Program Files\Couchbase Server\

    • Ensure the confidentiality of passwords defined by the Full Administrator at cluster-initiallization; of all others used for the Admin and Cluster Admin roles; and of the master password. See Secret-Management for details on how to define and use the master password.

    Securing the Network

    To secure the network on which your Couchbase Server-cluster resides:

    • Allow administrative access to Couchbase Server only through specific machines, such as jump servers. To perform auditing on access-attempts made from these machines, turn on the OS-level auditing facility on each.

    • Use IPSec on your local network. For guidance, consult the following online information-resources:

    Controlling Access to Files

    To restrict user-access to files and directories, traditional file-permissions can be used. Additionally, RedHat Linux provides the following options:

    Configuring IP Tables

    SSH-access to Couchbase Server and access to the Couchbase Server administrative ports (8091 and 8092) can be restricted to specified machines. Such restrictions can be established either at the network or at the system level, using IP tables rules. Specifically, you can either:

    • Execute the iptables command.

    • Edit the file /etc/sysconfig/iptables:

      ##allow everyone to access port 80 and 443##
            -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
            -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

    For more information, see IP tables rules. Additionally, a sample of IP tables rules can be found in this blog.

    Important Couchbase Server-Ports

    The following table lists a subset of Couchbase Server ports, access to which may need to be controlled. For a complete list of Couchbase Server ports, see Network and Firewall Requirements.

    Table 1. Important Couchbase Ports
    Port Description Node to node Node to client

    8091

    Web administration port

    Yes

    Yes

    8092

    Couchbase API port

    Yes

    Yes

    8093

    Used by query services for REST/HTTP traffic.

    Yes

    Yes

    11207

    Internal/external bucket port for SSL

    No

    Yes

    11209

    Internal bucket port

    Yes

    No

    11210

    Internal/external bucket port

    Yes

    Yes

    11211

    Client interface (proxy)

    No

    Yes

    11214

    Incoming SSL proxy

    No

    No

    11215

    Internal outgoing SSL proxy

    No

    No

    18091

    Internal REST HTTPS for SSL

    No

    Yes

    18092

    Internal CAPI HTTPS for SSL

    No

    Yes

    4369

    Erlang port mapper (epmd)

    Yes

    No

    21100 to 21199 (inclusive)

    Node data exchange

    Yes

    No

    A sample script for configuring the IP-tables firewall-settings is located in the following blog posting: IPTables Firewall Settings for Couchbase DB and Couchbase Mobile Sync_gateway

    Securing On-Disk Data

    Critical data-locations should be protected by means of transparent data encryption technologies; provided by 3rd party on-disk encryption software-vendors, such as Vormetric. For details, see Encryption at Rest. Also see the webinar provided at Understanding Database Encryption with Couchbase and Vormetric.