Application Security
System Security Checks
EasyDCIM performs a series of tests that verify the system’s most critical settings. These tests are conducted in the background at five-minute intervals.
In addition to the automated testing, EasyDCIM also offers the flexibility to initiate manual tests in real time. This feature is particularly useful when immediate verification is needed, such as after system updates, configuration changes, or troubleshooting.
Local SSH Connection
| Importance |
Description |
Recommended Solution |
| Action Required |
Verifies whether a local SSH connection to the EasyDCIM server is possible. |
Ensure the SSH server is running properly, and the key pair has been generated. Use the command if needed: php /opt/easydcim/console ssh:generate
|
SSH Server Port
| Importance |
Description |
Recommended Solution |
| Warning |
Checks if the SSH service is accessible on the default port 22. |
Change the SSH server configuration to operate on a non-default port. Update the new port in EasyDCIM main settings. |
CRON Status
| Importance |
Description |
Recommended Solution |
| Warning |
Verifies that appropriate entries for scheduled tasks are present in /etc/crontab. |
Ensure /etc/crontab includes the necessary entries for scheduled tasks. |
Remote Agents Connection
| Importance |
Description |
Recommended Solution |
| Action Required |
Verifies whether remote agents respond correctly and the communication between them and EasyDCIM is stable. |
Ensure the access details, such as IP Address and API Key, are correct in the agent’s edit form. |
DHCP Servers
| Importance |
Description |
Recommended Solution |
| Warning |
Checks if the DHCP servers on remote agents are functioning properly. |
Verify errors reported by the DHCP server in the remote agent summary view. |
Remote Agent Data Polling
| Importance |
Description |
Recommended Solution |
| Action Required |
Verifies whether the data polling process completes within 300 seconds. |
Configure polling to focus on network devices. Increase CPU, RAM, or upgrade to SSD/NVMe if needed. |
Backend IP Access
| Importance |
Description |
Recommended Solution |
| Action Required |
Checks if the backend section is accessible from all IP addresses. |
Restrict backend access to specific IP addresses via the “System Access” tab in global settings. |
API IP Access
| Importance |
Description |
Recommended Solution |
| Action Required |
Checks if the API section is accessible from all IP addresses. |
Restrict API access to specific IP addresses via the “System Access” tab in global settings. |
Advanced Firewall
| Importance |
Description |
Recommended Solution |
| Warning |
Checks if the advanced firewall, ModSecurity, is enabled and configured. |
Configure the Advanced Firewall in global system settings and ensure the IP whitelist is correctly generated. |
Redis Status
| Importance |
Description |
Recommended Solution |
| Action Required |
Checks if the Redis service is running properly and the database is accessible to EasyDCIM. |
Reinstall the Redis service using the provided command: sudo bash /opt/easydcim/scripts/redis/reinstall.sh
|
SSL Configuration
| Importance |
Description |
Recommended Solution |
| Warning |
Checks if EasyDCIM is operating on a domain with an SSL certificate. |
Follow the SSL configuration guide if using a domain. |
PHP Version
| Importance |
Description |
Recommended Solution |
| Action Required |
Checks if the installed PHP version is the latest. EasyDCIM and remote agents require PHP 8.1.X. |
Update the system packages using apt-get update && apt-get upgrade && apt-get dist-upgrade
|
Debian Version
| Importance |
Description |
Recommended Solution |
| Action Required |
Checks if the installed Debian version is the latest. EasyDCIM and remote agents require Debian 12.9. |
Update the Debian system using apt-get update && apt-get upgrade && apt-get dist-upgrade
. |
EasyDCIM Version
| Importance |
Description |
Recommended Solution |
| Action Required |
Checks if EasyDCIM is updated to the latest version. |
Update EasyDCIM using the Update Guide. |
Remote Agents Version
| Importance |
Description |
Recommended Solution |
| Action Required |
Checks if remote agents are updated to the latest version. |
Update remote agents using the Update Guide. |
Two-Factor Authentication
Firewall Rules
EasyDCIM and remote agents use multiple network services operating on separate TCP or UDP ports. You can apply additional firewall restrictions to limit network traffic only to the required ports. For this purpose, you can use the built-in Debian iptables firewall or any other tool that filters incoming or outgoing traffic. If you do not use an external billing system, we recommend applying all the firewall rules described below.
EasyDCIM
The following ports are used for EasyDCIM:
- 22/TCP — EasyDCIM requires a local connection to SSH using a specially generated key pair (private and public). This could be a different port depending on the SSH server configuration.
- 80/TCP — for HTTP
- 443/TCP — for HTTPS
noVNC Console
- 6081/TCP - 6200/TCP — port range used during Websockify session creation
Remote Agent
The following ports are used for remote agents:
- 8080/TCP — for HTTP
- 8081/TCP — for HTTPS
- 22/TCP — The remote agent requires a local connection to SSH using a specially generated key pair (private and public). This could be a different port depending on the SSH server configuration.
OS Installation
- 67/UDP, 68/UDP — for DHCP
- 69/UDP — for TFTP
- 139/TCP, 445/TCP — for Samba
noVNC Console
- 5901/TCP - 6000/TCP — port range used during Docker container creation
Outgoing Connections for Servers
- 623/TCP, 623/UDP — for IPMI
- 443/TCP — for Redfish
- 80/TCP, 443/TCP — for the IPMI factory panel
Outgoing Connections for Network Devices
- 161/UDP, 162/UDP — for SNMP
- 80/TCP, 443/TCP — for eAPI, NX-API, and RouterOS API. Depends on the switch configuration.
- 22/TCP, 830/TCP — for NETCONF
License Server
The license server is located at license.easydcim.com (5.161.211.169). A connection to the license server on port 443/TCP is required for EasyDCIM to function properly.
Additional Security Measures
EasyDCIM includes various mechanisms to enhance application security. To ensure the application is secure, we recommend using the following security measures.
Two-Factor Authentication
Two-factor authentication adds an extra layer of security to our system, requiring a second-factor token during the authorization process. This option is available for administrators in the backend section.
To configure the additional security layer, go to the main view of the Two-Factor Authentication extension.
Allowed IP Addresses
By default, the backend section and API are accessible from all subnets and IP addresses. To restrict access to specific IP addresses, select the “System Access” tab in the global system settings:
-
Allowed IP Addresses (Backend) — Specifies the list of IPv4 addresses or subnets in CIDR format to be whitelisted for the backend section. Defining these addresses may restrict access to the backend section. Examples: ‘192.168.56.1’ or ‘192.168.56.0/24’.
-
Allowed IP Addresses (API) — Specifies the list of IPv4 addresses or subnets in CIDR format to be whitelisted for the API section. Examples: ‘192.168.56.1’ or ‘192.168.56.0/24’.
Client Area Access
By default, the client section is enabled. If you do not want to use the built-in client section, you can disable it. To do so, select the “System Access” tab in the global system settings:
- Disable Client Area — Specifies whether the client area section will be disabled. If turned on, clients will not be able to access the built-in client section in EasyDCIM.
