Security outside Couchbase Server

Security outside Couchbase Server

Security outside Couchbase Server involves configuration of IP tables and ports.

To secure the host machine where Couchbase Server is installed, the best practices include encrypting certain data locations using transparent data encryption technologies such as Vormetric :

  • Data and index file path (the default data path on Linux) at /opt/couchbase/var/lib/couchbase/data .
  • Tools path at /opt/couchbase/bin/ .
  • Password files at /opt/couchbase/var/lib/couchbase/isasl.pw and /opt/couchbase/var/lib/config/ .
  • Log files, which are listed in Logs and logging .

For additional security:

  • Allow administrative access to Couchbase Server only through specific machines. To allow access, turn on OS auditing on these machines.
  • Use IPSec on your local network.

How to configure IP tables and ports

To configure IP tables for Linux, you have to edit the file located in /etc/sysconfig/iptables as follows:
##allow everyone to access port 80 and 443##
   -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
   -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Also keep in mind that certain Couchbase ports are used for node-to-node and some for node-to-client communication.

Table 1. Important Couchbase ports
Port Description Node to node Node to client
8091 Web administration port Yes Yes
8092 Couchbase API port Yes Yes
11207 Internal/external bucket port for SSL No Yes
11209 Internal bucket port Yes No
11210 Internal/external bucket port Yes Yes
11211 Client interface (proxy) No Yes
11214 Incoming SSL proxy No No
11215 Internal outgoing SSL proxy No No
18091 Internal REST HTTPS for SSL No Yes
18092 Internal CAPI HTTPS for SSL No Yes
4369 Erlang port mapper (epmd) Yes No
21100 to 21199 (inclusive) Node data exchange Yes No
Note: A sample script for configuring the IP tables firewall settings is also provided in the following blog posting: IPTables Firewall Settings for Couchbase DB and Couchbase Mobile Sync_gateway