To prevent brute force attacks on the DDVE, do not use a public IP address to configure your system.
Secure access
The following table illustrates the different authentication methods that DDVE supports.
Table 1. Access Types and Authentication
Access Type
Authentication Methods
UI
Username and password X509 certificates
SSH
Username and password
SSH key pair
REST API
Username and password X509 certificates
For better security, it is recommended that you disable authentication that is based on username and password. If you want to use the username-and-password-based authentication, it is recommended that you configure a strong password.
NOTE Do not disable password-based login if you want to configure Avamar Virtual Edition, NetWorker, or other backup software to connect to DDVE in Azure. Password authentication is used for communication between them.
Because Azure is a public cloud, pay attention to the security in your deployment. Follow these best practices:
Use public key based authentication for SSH access.
Use certificate-based authentication for DDSM access.
Do not configure public IP for DDVE in Azure, unless necessary.
Use an external KMIP server to store encryption keys.
Enable encryption for DDFS and replication.
When deploying DDVE from the market place, you can select one of the following authentication types. The username is always sysadmin.
Password—The complexity of this password should meet the following requirements for Azure and DDOS:
Password should not have more than three consecutive repeated characters.
SSH Public Key—The default password for sysadmin is
"changeme". At the first login, you are required to change the password.
IP Tables feature
After protecting the DDVE using secure setup, within DDVE you can filter the network traffic that enters by using the
iptables feature. The Net Filter section of the
DDOS Command Reference Guide provides more configuration information.
Security rules settings
Because DDVE in Azure is always running in a VPC, configure the VPC so that only required and trusted clients can access the DD system. The following tables show the TCP and UDP ports that the DD system uses for inbound and outbound traffic. Also shown are the services that use the ports. Consider the following information when configuring VPC firewall rules. For additional information, see
Security Rules.
Inbound rules
The following are the inbound ports that the DDVE uses.
Table 2. Inbound ports used by DDVE
Port
Service
Description
TCP 22
SSH
Used for SSH (CLI) access and configuring DDVE.
TCP 443
HTTPS
Used for DDSM (UI) access and configuring DDVE.
TCP 2049
DD Boost, NFS
Main port used by NFS. Can be modified by using the
nfs set server-port command, which requires SE mode.
TCP 2051
Replication, DD Boost, Optimized Duplication
Used only if replication is configured (run
replication show config command on DD system to determine). This port can be modified by using
replication modify.
TCP 3009
SMS (system management)
Used for managing a system remotely using DDSM. This port cannot be modified. If you plan to configure replication from within the DDSM, open this port (since the replication partner must be added to the DDSM).
Depending on the protocol that is used to backup data to DDVE, additional ports are enabled with inbound firewall rules.
Outbound rules
The following are the outbound ports that the DDVE uses.
Table 3. Outboard ports used by DDVE
Port
Service
Description
UDP 123
NTP
Used by the DD system to synchronize to a time server.
TCP 443
HTTPS
Used for DDVE to be able to communicate with outside services.
TCP 2049
DD Boost, NFS
Main port used by NFS. Can be modified by using the
nfs set server-port command, which requires SE mode.
TCP 2051
Replication, DD Boost, Optimized Duplication
Used only if replication is configured (run
replication show config on DD system to determine). This port can be modified using
replication modify.
TCP 3009
SMS (system management)
Used for managing a system remotely using DDSM. This port cannot be modified. If you plan to configure replication from within the DDSM, open this port (since the replication partner must be added to the DDSM).
Depending on the other applications and services that are being used, additional ports shall be enabled for outbound firewall rules.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\