Atmosphere Security FAQ

Here are some of the commonly asked questions about security on Atmosphere. It’s an ever-evolving list. Please also refer to https://iujetstream.atlassian.net/wiki/spaces/JWT/pages/17465386/Policies+and+Best+Practices and https://iujetstream.atlassian.net/wiki/spaces/JWT/pages/17465381/Troubleshooting+and+FAQ for other security-related topics.

Topic

Answer

Topic

Answer

1

What ports are open by default in Atmosphere?

Atmosphere uses a standard OpenStack security group rule set to govern default Atmosphere access. By default, Atmosphere limits the privileged ports (under port 1024) to

  • 21 tcp (ftp)

  • 22 tcp (sshd)

  • 53 tcp/udp (nameservices)

  • 80 tcp (http)

  • 389 tcp (ldap)

  • 443 tcp (https)

  • 636 tcp (ldapssl)

Though these ports are accessible, that doesn’t mean anything is running there. On Jetstream Featured images, typically the only listener running is sshd – which is required both for deployment and access to the VM.

In non-privileged ports (over 1024), there are no restrictions placed by Atmosphere. Typically, the only ports you might find open above 1024 will be the Xvnc ports for the web desktop functionality.

Some instances like the R and Shiny Server instance will have port 3838 open.

It is unlikely that other ports under 1024 will be opened upon request.

2

How can I see what ports are open on my virtual machine?

From the command line, type:

netstat -latun|grep LIST|grep -v tcp6|grep -v 127.0.0.1

This will show you all non-IPv6 listeners on public interfaces.

3

Can I have a private network in Atmosphere that is only reachable by another Atmosphere host?

No. All hosts in Atmosphere receive a public IP (also called a floating IP in OpenStack).

4

Can I use a firewall to further secure my Atmosphere-launched instance?

Yes, though with some caveats. Atmosphere instances will not deploy correctly if the Atmosphere deployment server can’t reach the instance. The web shell and web desktop will not function if the web shell host can’t access the instance. The IPs below need to always be allowed to reach your instance for proper operation.

Required IPs

1 2 3 4 149.165.156.57 - use.jetstream-cloud.org 149.165.156.163 - web shell host 149.165.157.209 - use-staging.jetstream-cloud.org 149.165.168.150 - atmo-wf Atmosphere deployment host



5

Can I use the sshd_config to limit ssh access to my instance?

We do not recommend altering the sshd_config to limit access as it can also break deployment if not done correctly.

6

Do I need to apply security updates to my VM?

(Also in https://iujetstream.atlassian.net/wiki/spaces/JWT/pages/17465386/Policies+and+Best+Practices and https://iujetstream.atlassian.net/wiki/spaces/JWT/pages/17465381/Troubleshooting+and+FAQ )

It's always a good practice to apply periodic updates. A good recommendation is to check for updates once a week at least.

From the Jetstream Policies and Best Practices page:

The Ubuntu 18.04, 16.04 and Centos 7 featured images are piloting unattended security updates. Nodes will not reboot, but they will apply any update marked as a security update. It's still a good idea to update your VM, just in case.

  • To apply the updates:
    CentOS: sudo yum update
    Ubuntu: sudo apt-get update then sudo apt-get upgrade

If the kernel or glibc/libc packages are being updated, rebooting is necessary to implement those updates

Always run updates before requesting a new custom image - An actively updating instance may be slow