SuperMap iManager K8S
简体中文

Tutorial

iManager Security Vulnerabilities Solution

This article lists some common security vulnerabilities and solutions of iManager for Kubernetes. If you encounter the same problem, please refer to the following to solve it:

  1. NFS vulnerability (CVE-1999-0554): How to deal with the showmount - e information disclosure of the target host?

    Answer: You can use the hosts.allow and hosts.deny of Linux together to limit the IP and users who can obtain the NFS output list to avoid this vulnerability. An IP request is connected. The check policy of Linux is to check whether/etc/hosts.allow is allowed. If it is allowed, it will be released directly; If not, check whether it is prohibited in/etc/hosts.deny. If it is prohibited, the connection is prohibited.

    The relationship between the two configuration files is: /etc/hosts. allow takes precedence over/etc/hosts. deny . The specific configuration steps are as follows:

    (1)Modify the hosts.allow configuration file:

    vim /etc/hosts.allow
mountd:192.168.13.1   #Set according to the IP that needs to be released. Multiple IPs are separated by commas
#rpcbind: 192.168.13.:allow  #Release of the whole network segment
rpcbind:192.168.13.1:allow

    (2)Modify the hosts.deny configuration file:

    mountd:ALL  #Disable all IPs from accessing the nfs service
rpcbind:ALL:deny

    (3)The modification takes effect without restarting the machine.

  2. Before 11i, file upload was almost unlimited, leaving some security risks to the file system; In 11i, the File Manager provides restrictions on uploading some script files by default. If the customer’s upload security policy is still not met, how to solve it?

    Answer: Users can add restrictions on the type of uploaded files according to their needs, modify the layout of the file-manager service, and add file types in the corresponding environment variables:

    Configuration method with 10.2.1 and subsequent versions

    (1)Find the file-manager service in the iManager service list, click Edit, find the environment variable UNSUPPORTED_EXTENTIONS in the orchestration, and add the suffix names of the file types that need to be restricted in the value, separated by ’, ’ ;

    (2)After modification, click Update, and the service will take effect after restarting.

    **Configuration method with 10.2.0 and earlier version **

    Visit http:// <ip> :31234 and go to the Dashboard page of Kubernetes to operate:

    (1)Select icloud-native-* as the namespace, and select according to the actual cloud suite ID;

    (2)Find the Deployments of the file-manager in the deployment, click Edit, find the environment variable UNSUPPORTED_EXTENTIONS in the orchestration, and add the suffix names of the file types to be restricted in the value, separated by ’, ’ ;

    (3)After modification, click Update, and the service will take effect after restarting.