Application Security

System Security Checks

EasyDCIM performs a series of automatic background tests every five minutes to verify the system’s most critical settings. You can also run these tests manually whenever needed—for example, after updates or configuration changes.

Key checks include:

  • Local SSH Connection – Verifies local SSH availability. Use php /opt/easydcim/artisan ssh:generate if needed.
  • SSH Server Port – Warns if SSH uses the default port 22. Configure a custom port and update it in settings.
  • CRON Status – Ensures required scheduled task entries exist in /etc/crontab.
  • Remote Agents Connection – Validates communication between EasyDCIM and remote agents.
  • DHCP Servers – Monitors the operational status of DHCP on remote agents.
  • Remote Agent Data Polling – Confirms polling completes within 300 seconds; otherwise, consider resource upgrades.
  • Backend & API IP Access – Recommends IP whitelisting to restrict unauthorized backend/API access.
  • Advanced Firewall (ModSecurity) – Advises enabling and configuring ModSecurity with proper IP whitelist settings.
  • Redis Status – Verifies that Redis server is running.
  • SSL Configuration – Recommends SSL if the system is exposed via a public domain.
  • PHP, Debian, and EasyDCIM Versions – Confirms compatibility by requiring PHP 8.3.X and Debian 12.X.
  • Remote Agents Version – Suggests updating agents to the latest version.
  • Two-Factor Authentication – Verifies if 2FA is enabled for backend access.

Application Security - EasyDCIM Documentation

Firewall Rules

EasyDCIM and remote agents rely on various ports for secure communication. You can limit access to only necessary ports using a firewall such as iptables.

EasyDCIM uses:

  • 22/TCP – for SSH (custom port possible)
  • 80/TCP – for HTTP
  • 443/TCP – for HTTPS
  • 6081–6200/TCP – for noVNC console (Websockify sessions)

Remote Agents use:

  • 8080/TCP, 8081/TCP – for HTTP/HTTPS
  • 22/TCP – for local SSH
  • 67/UDP, 68/UDP, 69/UDP – for DHCP/TFTP
  • 139/TCP, 445/TCP – for Samba
  • 5901–6000/TCP – for Docker-based console access

Outgoing Connections:

  • Servers: 623/TCP, 623/UDP, 443/TCP, 80/TCP
  • Network Devices: 161/UDP, 162/UDP, 22/TCP, 830/TCP

License Server:
Connection to license.easydcim.com (5.161.211.169) over 443/TCP is required.

Additional Security Measures

EasyDCIM offers several built-in features to strengthen system access control.

Two-Factor Authentication
Add an extra layer of security for backend logins. Learn more in the Two-Factor Authentication guide.

Allowed IP Addresses
Limit backend and API access by defining allowed IPv4 addresses or subnets in CIDR format. Configure these settings under the “System Access” tab in global settings.

  • Backend IPs: e.g., 192.168.56.1, 192.168.56.0/24
  • API IPs: e.g., 192.168.56.1, 192.168.56.0/24

Client Area Access
If you do not use the built-in client area, you can disable it in global settings:

  • Disable Client Area – Prevents clients from accessing the client portal section.