Application Security

Firewall Rules

EasyDCIM and remote agents use multiple network services operating on separate TCP or UDP ports. You can apply additional firewall restrictions to limit network traffic only to the required ports. For this purpose, you can use the built-in Debian iptables firewall or any other tool that filters incoming or outgoing traffic. If you do not use an external billing system, we recommend applying all the firewall rules described below.

EasyDCIM

The following ports are used for EasyDCIM:

  • 22/TCP — EasyDCIM requires a local connection to SSH using a specially generated key pair (private and public). This could be a different port depending on the SSH server configuration.
  • 80/TCP — for HTTP
  • 443/TCP — for HTTPS

noVNC Console

  • 6081/TCP - 6200/TCP — port range used during Websockify session creation

Remote Agent

The following ports are used for remote agents:

  • 8080/TCP — for HTTP
  • 8081/TCP — for HTTPS
  • 22/TCP — The remote agent requires a local connection to SSH using a specially generated key pair (private and public). This could be a different port depending on the SSH server configuration.

OS Installation

  • 67/UDP, 68/UDP — for DHCP
  • 69/UDP — for TFTP
  • 139/TCP, 445/TCP — for Samba

noVNC Console

  • 5901/TCP - 6000/TCP — port range used during Docker container creation

Outgoing Connections for Servers

  • 623/TCP, 623/UDP — for IPMI
  • 443/TCP — for Redfish
  • 80/TCP, 443/TCP — for the IPMI factory panel

Outgoing Connections for Network Devices

  • 161/UDP, 162/UDP — for SNMP
  • 80/TCP, 443/TCP — for eAPI, NX-API, and RouterOS API. Depends on the switch configuration.
  • 22/TCP, 830/TCP — for NETCONF

License Server

The license server is located at license.easydcim.com (5.161.211.169). A connection to the license server on port 443/TCP is required for EasyDCIM to function properly.

Additional Security Measures

EasyDCIM includes various mechanisms to enhance application security. To ensure the application is secure, we recommend using the following security measures.

Two-Factor Authentication

Two-factor authentication adds an extra layer of security to our system, requiring a second-factor token during the authorization process. This option is available for administrators in the backend section.

To configure the additional security layer, go to the main view of the Two-Factor Authentication extension.

Allowed IP Addresses

By default, the backend section and API are accessible from all subnets and IP addresses. To restrict access to specific IP addresses, select the “System Access” tab in the global system settings:

  • Allowed IP Addresses (Backend) — Specifies the list of IPv4 addresses or subnets in CIDR format to be whitelisted for the backend section. Defining these addresses may restrict access to the backend section. Examples: ‘192.168.56.1’ or ‘192.168.56.0/24’.

  • Allowed IP Addresses (API) — Specifies the list of IPv4 addresses or subnets in CIDR format to be whitelisted for the API section. Examples: ‘192.168.56.1’ or ‘192.168.56.0/24’.

Client Area Access

By default, the client section is enabled. If you do not want to use the built-in client section, you can disable it. To do so, select the “System Access” tab in the global system settings:

  • Disable Client Area — Specifies whether the client area section will be disabled. If turned on, clients will not be able to access the built-in client section in EasyDCIM.