Manage Connections and Disks
Couchbase-Server security can be enhanced by proper management of connections and disks.
Network Security Recommendations
Attaining a fully secure Couchbase Server network-environment requires appropriate measures in the following areas.
Establishing Firewalls and Protecting Files
The following measures are strongly recommended:
-
Set up a firewall to block
epmd
port 4369 from access from outside the cluster-network. -
Set up a firewall to block
erlang
ports from access from outside the cluster-network. These ports are configurable: in the default installation, their range is: 21100 to 21299. -
Restrict access to the following directories:
-
On Linux:
/opt/couchbase
-
On Mac OS X:
/Users/<user>/Library/Application Support/Couchbase/var/lib/couchbase
, and/Applications/Couchbase Server.app/Contents/Resources/couchbase-core
-
On Windows (assuming the default installation-location has been used):
C:\Program Files\Couchbase Server\
-
-
Ensure the confidentiality of passwords defined by the Full Administrator at cluster-initiallization; of all others used for the Admin and Cluster Admin roles; and of the master password. See Manage System Secrets for details on how to define and use the master password.
Securing the Network
To secure the network on which your Couchbase Server-cluster resides:
-
Allow administrative access to Couchbase Server only through specific machines, such as jump servers. To perform auditing on access-attempts made from these machines, turn on the OS-level auditing facility on each.
-
Use IPSec on your local network. For guidance, consult the following online information-resources:
Controlling Access to Files
To restrict user-access to files and directories, traditional file-permissions can be used. Additionally, Red Hat Enterprise Linux (RHEL) provides the following options:
Configuring IP Tables
SSH-access to Couchbase Server and access to the Couchbase Server administrative ports (8091 and 8092) can be restricted to specified machines. Such restrictions can be established either at the network or at the system level, using IP tables rules. Specifically, you can either:
-
Execute the
iptables
command. -
Edit the file /etc/sysconfig/iptables:
##allow everyone to access port 80 and 443## -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
For more information, see IP tables rules. Additionally, a sample of IP tables rules can be found in this blog.
Controlling Ports
Access to Couchbase Server ports may need to be controlled. For a complete list of ports, see Couchbase Server Ports.
A sample script for configuring the IP-tables firewall-settings is located in the following blog posting: IPTables Firewall Settings for Couchbase DB and Couchbase Mobile Sync_gateway
Securing On-Disk Data: Encryption at Rest
Data that resides on physical media, and is intended to be used by Couchbase Server, should be protected.
Protecting Physical Media
Couchbase Server uses physical media to store files and indexes. If media are stolen, data becomes vulnerable to illicit access.
Therefore, to secure such data, encrypt all important data and index storage-locations, using transparent data encryption, provided by 3rd party on-disk encryption software-vendors; which denies data-access to anyone who either does not possess an appropriate encryption-key, or is otherwise non-compliant with the configured security policy. Such encryption ensures that stored data cannot be compromised; even if the database is stolen, copied, lost, or otherwise improperly accessed.
Commonly used 3rd party encryption tools include:
-
Thales CipherTrust (formerly known as Vormetric/Gemalto): see Product Details and Documentation.
Encryption Targets
The tools listed above all allow either full disk or file-level encryption to be used. If file-level is chosen, the following Couchbase directories and files should be encrypted:
-
Data and index file paths
-
Linux:
/opt/couchbase/var/lib/couchbase/data
-
Windows:
C:\Program Files\couchbase\server\var\lib\couchbase\data
-
-
Global Secondary Index file paths
-
Linux:
/opt/couchbase/var/lib/couchbase/data/@2i
-
Windows:
C:\Program Files\couchbase\server\var\lib\couchbase\data\@2i
-
-
Couchbase configuration files and directory
-
Linux:
/opt/couchbase/var/lib/couchbase/data
-
Windows:
C:\Program Files\couchbase\server\var\lib\couchbase\data
-
-
Couchbase password files
-
Linux:
/opt/couchbase/var/lib/couchbase/isasl.pw
and/opt/couchbase/var/lib/couchbase/config/
. -
Windows:
C:\Program Files\couchbase\server\var\lib\couchbase\isasl.pw
andC:\Program Files\couchbase\server\var\lib\couchbase\var\lib\config\
.
-
For more information, see the webinar provided at Understanding Database Encryption with Couchbase and Vormetric.
LUKS Encryption Procedure
The following command sequence can be used on Linux systems to deploy a LUKS-encrypted partition, and mount it as a data directory. The sequence makes use of:
-
/dev/sdb1
, which is the partition to be encrypted. -
luks_keyfile.key
, which is a file containing the key to be used to unlock and to access the encrypted partition. -
cbefs
(Couchbase Encrypted Filesystem), which is the name of the new filesystem on the encrypted partition.
Proceed as follows.
(Note that sudo
may be required for some commands.)
-
Ensure that
cryptsetup
is installed:apt-get install cryptsetup
-
Format the partition:
cryptsetup luksFormat -d luks_keyfile.key --batch-mode /dev/sdb1
-
Unlock the partition, and make it accessible as a device named
cbefs
.cryptsetup luksOpen -d luks_keyfile.key /dev/sdb1 cbefs
-
Create a new filesystem:
mkfs.xfs /dev/mapper/cbefs
-
Mount
/data
on the created filesystem:mount /dev/mapper/cbefs /data
-
Give user
couchbase
permission to access/data
:chown couchbase:couchbase /data
-
Add entries to
fstab
:sed -i '/data/c\/dev/mapper/cbefs /data xfs defaults 0 2' /etc/fstab
-
Add entries to
crypttab
:echo "cbefs /dev/sdb1 /root/luks_keyfile.key luks" > /etc/crypttab
This concludes the sequence.
Note that this procedure can also be performed by means of the script create_luks_fs.sh.