To prevent brute force attacks on the DDVE, it must not be configured with a public IP address.
Secure access
The following table illustrates the different authentication methods that are supported by DDVE.
Table 1. Access Types and Authentication
Access Type
Authentication Methods
GUI
username/password X509 certificates
SSH
username/password
SSH key pair
REST API
username/password X509 certificates
For better security, we recommend you disable the username/password based user authentication. If the username/password based authentication is desired, we recommend that you configure a stronger password.
NOTE Password based login should not be disabled if you want to configure Avamar Virtual Edition, NetWorker, or other backup software to connect to DDVE in AWS, because password authentication is used for communication between them.
Because AWS is a public cloud, pay attention to the security in your deployment. We suggest these best practices:
Use public key based authentication for SSH access
Use certificate based authentication for DDSM access
Do not configure public IP for DDVE in AWS, if possible
Use external KMIP server to store encryption keys
Enable encryption for DDFS and replication
After a DDVE deployment from the market place, DDVE SSH login with a username and password is enabled. The default password for the sysadmin user is the EC2 instance ID of the DDVE instance. At the first login, a password change is required. The EC2 key access pair associated with the sysadmin user is an optional alternative to username and password authentication.
IP Tables feature
After protecting the DDVE using secure setup, within the DDVE you can filter the network traffic that enters by using the
iptables feature. For more configuration information, see the DDOS 6.2 Command Reference Guide's Net Filter section.
Security rules settings
Since the DDVE in AWS is always running in a VPC, the VPC should be configured so that only required and trusted clients have access to the DD system. The following tables show the TCP and UDP ports that are used by the DD system for inbound and outbound traffic, and which service makes use of them. Consider the following information when configuring VPC firewall rules. For additional information, see
Amazon EC2 Security Groups for Linux Instances.
Inbound rules
The following are the inbound ports used by DDVE.
Table 2. Inbound ports used by DDVE
Port
Service
Description
TCP 22
SSH
Used for SSH (CLI) access and for configuring DDVE.
TCP 443
HTTPS
Used for DDSM (GUI) access and for configuring DDVE.
TCP 2049
DD Boost/NFS
Main port used by NFS - can be modified using the
nfs set server-port
command which requires SE mode.
TCP 2051
Replication/DD Boost/ Optimized Duplication
Used only if replication is configured (run
replication show config command on DD system to determine). This port can be modified using
replication modify.
TCP 3009
SMS (system management)
Used for managing a system remotely using DDSM. This port cannot be modified. This port will also need to be opened if you plan to configure replication from within the DDSM, since the replication partner needs to be added to the DDSM.
Depending on the protocol that is used to backup data to DDVE, additional ports are enabled with inbound firewall rules.
Outbound rules
The following are the outbound ports that are used by DDVE.
Table 3. Outboard ports used by DDVE
Port
Service
Description
UDP 123
NTP
Used by the DD system to synchronize to a time server.
TCP 443
HTTPS
Used for DDVE to be able to communicate with outside services.
TCP 2049
DD Boost/NFS
Main port used by NFS - can be modified using the
nfs set server-port command which requires SE mode.
TCP 2051
Replication/DD Boost/ Optimized Duplication
Used only if replication is configured (run
replication show config on DD system to determine). This port can be modified using
replication modify.
TCP 3009
SMS (system management)
Used for managing a system remotely using DDSM. This port cannot be modified. This port will also need to be opened if you plan to configure replication from within the DDSM, as the replication partner needs to be added to the DDSM.
Depending on the other applications/services that are being used, additional ports shall be enabled for outbound firewall rules.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\