Isilon | Secure your Isilon cluster

Security

Well what to say about this topic because when it comes to security you want action and not a speech. 

By default /ifs – the root folder of the OneFS file system is exported via an NFS export and an SMB share.

The NFS Export should be modified to prevent unwanted access to the root of the File system by limiting the NFS export client and root access to one or two servers only.

1. First of list the current export settings and find the id of /ifs (usually it is at no.1 in the list)

# isi nfs exports list

ID   Paths                            Description

----------------------------------------------------------------------------------

1    /ifs

2    /ifs/<>                          random export 

3    /ifs/IIQ_store                   InsightIQ datastore

----------------------------------------------------------------------------------

Total: 3

2. Clear any clients that have access to the /ifs export:

#isi nfs exports modify --id=1 --clear-clients --clear-root-clients

where id is the id of /ifs export entry

3. Confirm there are no clients with access to the /ifs export:

# isi nfs exports view 1

                     ID: 1

                  Paths: /ifs

            Description: Default export

                Clients: -

           Root Clients: -

      Read Only Clients: -

     Read Write Clients: -

     Unresolved Clients: -

               All Dirs: No

             Block Size: 8.0K

4.  Add  sever you want to have access to /ifs :

# isi nfs exports modify --id=1 --clients=<Sever IP> --root-clients=<Server IP> --description="Secured server access"

5. View the new access rights: 

Example:

#isi nfs exports view 1

                     ID: 1

                  Paths: /ifs

            Description: Secured server access

                Clients: <IP address>

           Root Clients: <IP address>

      Read Only Clients: -

     Read Write Clients: -

     Unresolved Clients: -

               All Dirs: Yes

             Block Size: 8.0K

           Can Set Time: Yes

The SMB share permissions should also be changed to secure mode so that only authorized administrators can have access to it only.

1. To secure the SMB share pointing to /ifs run the following commands:

List all shares:

#isi smb shares list

Share Name     Path

-----------------------------------------------

ifs           /ifs

2. Rename the ifs share adding a $ to make a hidden share:

#isi smb shares modify --share=ifs --name=ifs$

3. Modify permissions with access to the ifs$ share - make it restricted so that only authorized user can access it.

Format:

#isi smb shares permission create --share=ifs$ <user> --permission=change --permission-type=allow 

Example:

#isi smb shares permission create --share=ifs$ Administrator --permission=full --permission-type=allow 

4. Remove default permissions:

#isi smb shares permission delete --share=ifs$ --wellknown=Everyone

5. Once completed check the status:

# isi smb shares permission list --share=ifs$


Happy Learning!