Security Check and Hardening

Routine Check Using Antivirus Software

This is applicable to all the features.

Periodically scan components using antivirus software. This protects components from viruses, malicious code, spyware, and malicious programs, reducing risks such as system breakdown and information leakage. Mainstream antivirus software can be used for antivirus check.

Vulnerability Fixing

To ensure the security of the production environment and reduce the risk of attacks, enable the firewall and periodically fix the following vulnerabilities:

• OS vulnerabilities
• JDK vulnerabilities
• OpenSSL vulnerabilities
• Vulnerabilities in other components

  The following uses CVE-2021-37137 as an example.

  Vulnerability description:

  Netty version 4.1.17 is subject to a security advisory regarding the potential confusion of two Content-Length HTTP headers. The vulnerability ID is CVE-2021-37137.

  The system uses the hdfs-ceph (version 3.2.0) service as the storage object with decoupled storage and compute. This service depends on aws-java-sdk-bundle-1.11.375.jar and involves this vulnerability. You are advised to apply the latest security patch promptly to prevent hacker attacks.

  Affected versions:

  Netty 4.1.68 and earlier versions

  Remediation:

  The vendor has released an upgrade patch to fix the vulnerability. For details, visit GitHub.

SSH Hardening

During the installation and deployment, you need to connect to the server through SSH. The root user has administrative privileges. Logging in to the server as the root user may pose security risks. You are advised to log in to the server as a non-privileged user for installation and deployment tasks, and disable SSH login for the root user to enhance system security. The procedure is as follows:

Log in to the server and check the PermitRootLogin configuration item in /etc/ssh/sshd_config.

• If the value is no, SSH login for the root user is disabled.
• If the value is yes, change it to no.