MAAS security

Computer security is a wide-ranging and essential discipline impossible to cover completely here. There are, however, some relatively simple steps you can take to harden the security of your MAAS installation on your rack and region controllers.

There are too many use cases and operating systems to make any meaningful security suggestions in this context for your deployed machines.

`maas` and `root` users

You should pick good passwords and store them securely (e.g. in a KeePassX password database). Perform user administration only via the web UI. Only share the maas and root user passwords with administrators.

SSL

MAAS doesn’t yet support SSL natively. In the meantime, you can use a reverse SSL proxy to restrict outside access to your region controllers. Use NGINX or Apache to accept HTTPS requests, and use HTTP to communicate with MAAS via port 5240, serving results back through HTTPS to the requester.

See SSL for configuration examples.

Conf file permissions

MAAS configuration files should be set to have permission 640: readable by logins belonging to the maas group and writeable only by the root user. Currently, the regiond.conf file contains the login credentials for the PostgreSQL database used by MAAS to keep track of all machines, networks, and configuration.

chmod 640 /etc/maas/rackd.conf
chmod 640 /etc/maas/regiond.conf

After:

-rw-r----- 1 root maas   90 Sep 27 14:13 rackd.conf
-rw-r----- 1 root maas  157 Sep 27 14:14 regiond.conf

Firewalls

The Rack controller page contains a list of ports used by MAAS for communications between rack and region controllers. Consider setting your firewall on your rack and region controllers to disallow communication on all ports except those used by MAAS.

Shared secrets

When you add a new rack or region controller, MAAS asks for a shared secret it will use to communicate with the rest of MAAS. This secret is also exposed in the web UI when you click the ‘Add rack controller’ button on the Controllers page.

MAAS automatically generates this secret when your first region controller installed, and stores the secret in a plain text file.

You should also verify that any ‘secret’ files on region and rack controllers are 600 or readable and writeable only by the ‘maas’ user.

sudo chmod 600 /var/lib/maas/secret

And after:

-rw------- 1 maas maas 32 Sep 27 14:15 /var/lib/maas/secret