[Beowulf] security for small, personal clusters

Perry E. Metzger perry at piermont.com
Fri Jun 20 19:01:05 PDT 2008


"Mark Kosmowski" <mark.kosmowski at gmail.com> writes:
> What kind of security is recommended for the owner of a small personal
> cluster?  Where should the owner of a small, personal cluster go to
> learn about security?  Doing searches tends to give a few "head in the
> sand" sites but predominantly seem to be oriented for the security
> professional.

Sadly, as a security professional I don't have very good book
recommendations to give because I'm not the sort of person the books
you want are aimed at. However, let me suggest that "simpler is
better". Don't bother with anything exotic. Set your cluster up on the
other side of your head node, allow access to the head node only over
SSH with public key auth, and run very few services on the outside
interface on the head node (preferably SSH and almost nothing else)
and there will be very few ways to attack the thing.

> I maintain a small 3 node personal cluster used for my part-time PhD
> studies in chemistry.  So far I've just kind of been hoping that I'm
> too small to bother with and that the firewalls (Linux and switch)
> between my boxes and the cable internet do something.

There is no such thing as "too small to bother with" because the
attacks these days are all automated and essentially target people at
random. However, if you are behind a NAT box attached to a cable
modem, and you haven't configured any incoming ports, and you keep
your firmware in the NAT box reasonably up to date and keep the
machines reasonably well patched, I wouldn't worry too much.

> I do use ssh for cluster communications, and have disabled the
> reknowned unstable services such as ftp.

FTP isn't "unstable", it is just not secure. :)

> RGB mentioned running services on non-standard ports.  This seems like
> a good idea to further reduce the probability of successful attack.

Eh, if you're not allowing login except with public key auth
(i.e. everything else is turned off in the sshd_config), I wouldn't
bother.

Here is one favorite trick of mine: run "netstat -A inet -a" on your
boxes. Turn off every service you find listening on the network that
you don't actually need -- mDNS, cups, etc, etc. If you get the
machine down to essentials, you've taken care of half the problem.

-- 
Perry E. Metzger		perry at piermont.com



More information about the Beowulf mailing list