Computer security is a wide-ranging and essential discipline impossible to cover completely here. There are, however, some relatively simple steps you can take to harden the security of your MAAS installation on your rack and region controllers.
There are too many use cases and operating systems to make any meaningful security suggestions in this context for your deployed machines.
`maas` and `root` users
You should pick good passwords and store them securely (e.g. in a KeePassX password database). Perform user administration only via the web UI. Only share the
root user passwords with administrators.
MAAS doesn’t yet support SSL natively. In the meantime, you can use a reverse SSL proxy to restrict outside access to your region controllers. Use NGINX or Apache to accept HTTPS requests, and use HTTP to communicate with MAAS via port 5240, serving results back through HTTPS to the requester.
See SSL for configuration examples.
Conf file permissions
MAAS configuration files should be set to have permission
640: readable by logins belonging to the
maas group and writeable only by the
root user. Currently, the
regiond.conf file contains the login credentials for the PostgreSQL database used by MAAS to keep track of all machines, networks, and configuration.
chmod 640 /etc/maas/rackd.conf chmod 640 /etc/maas/regiond.conf
-rw-r----- 1 root maas 90 Sep 27 14:13 rackd.conf -rw-r----- 1 root maas 157 Sep 27 14:14 regiond.conf
The Rack controller page contains a list of ports used by MAAS for communications between rack and region controllers. Consider setting your firewall on your rack and region controllers to disallow communication on all ports except those used by MAAS.
When you add a new rack or region controller, MAAS asks for a shared secret it will use to communicate with the rest of MAAS. This secret is also exposed in the web UI when you click the ‘Add rack controller’ button on the Controllers page.
MAAS automatically generates this secret when your first region controller installed, and stores the secret in a plain text file.
You should also verify that any ‘secret’ files on region and rack controllers are
600 or readable and writeable only by the ‘maas’ user.
sudo chmod 600 /var/lib/maas/secret
-rw------- 1 maas maas 32 Sep 27 14:15 /var/lib/maas/secret