Network and ACLs

Network and ACLs

Security outside Couchbase Server involves the configuration of IP tables and ports.

Security best practices include encrypting certain data locations using transparent data encryption technologies. These technologies are offered by 3rd party on-disk encryption software vendors, such as Vormetric. To see more details, see the webinar provided at Understanding Database Encryption with Couchbase and Vormetric.

  • Data and index file path (the default data path on Linux) at /opt/couchbase/var/lib/couchbase/data.
  • Tools path at /opt/couchbase/bin/.
  • Password files at /opt/couchbase/var/lib/couchbase/isasl.pw and /opt/couchbase/var/lib/config/.

For additional security:

  • Allow administrative access to Couchbase Server only through specific machines, e.g., jump servers. To audit access, turn on OS level auditing on these machines.
  • Use IPSec on your local network.

    Here are some of the good online sources about IPSec and its configuration:

Access Control

Some of the methods to specify access control information at file/directory level are:

You can also use the traditional file permissions to restrict user access to files or directories.

The other method is to allow administrative access to Couchbase Server only through specific machines by:

  • Restricting the access to couchbase administrative ports 8091/8092 on the Couchbase Server.
  • Restricting the SSH access to the machine.

Access restriction to the machines must be performed at the network level or the system level using IPtables rules.

Configuring IP Tables and Ports

To configure IP tables for Linux, you can choose among one of these two options:

  • Use the iptables command.
  • Edit the file /etc/sysconfig/iptables:
    ##allow everyone to access port 80 and 443##
          -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
          -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

A sample of the IP tables rules is available in this blog.

Keep in mind that certain Couchbase ports are used for node-to-node and some for node-to-client communication. For a complete list of Couchbase ports, see Network Configuration.

Table 1. Important Couchbase Ports
Port Description Node to node Node to client
8091 Web administration port Yes Yes
8092 Couchbase API port Yes Yes
8093 Used by query services for REST/HTTP traffic. Yes Yes
11207 Internal/external bucket port for SSL No Yes
11209 Internal bucket port Yes No
11210 Internal/external bucket port Yes Yes
11211 Client interface (proxy) No Yes
11214 Incoming SSL proxy No No
11215 Internal outgoing SSL proxy No No
18091 Internal REST HTTPS for SSL No Yes
18092 Internal CAPI HTTPS for SSL No Yes
4369 Erlang port mapper (epmd) Yes No
21100 to 21199 (inclusive) Node data exchange Yes No
Note: You can find a sample script for configuring the IP tables firewall settings in the following blog posting: IPTables Firewall Settings for Couchbase DB and Couchbase Mobile Sync_gateway

In order to keep Couchbase Server secure, you need to perform the following:

  1. Setup a firewall to block epmd port 4369 from access outside of the cluster network.
  2. Setup a firewall to block erlang ports from access outside of the cluster network. These ports are configurable and in the default installation, the range is: 21100-21299.
  3. Restrict read and write access to the following directories:

    On Linux:

    /opt/couchbase

    On Mac OS X:

    /Users/<user>/Library/Application Support/Couchbase/var/lib/couchbase
    /Applications/Couchbase Server.app/Contents/Resources/couchbase-core

    On Windows (assuming the default install location):

    C:\Program Files\Couchbase Server\

    Make sure to secure the root and user passwords under which Couchbase is installed.

  4. Make sure to secure the Administrator password as well, see Secret Management and Hardening for details.