Operating System Settings

For best security, Traffic Managers should not be used for running applications other than the Traffic Manager, especially applications that provide network services. When a new Traffic Manager is commissioned, pre-installation checks should include removing or disabling UNIX services which will not be used. For example, services such as “lpd” (the UNIX print server) and the RPC Portmapper are often started by default, and are not necessary for the Traffic Manager to function. By uninstalling these services completely, you can dramatically reduce the exposed interfaces that provide a means of accessing your Traffic Manager servers.

Some services might still be required (for example, Syslog and secure shell). Where practical, these services should be bound only to the private network interface or to the loopback interface if they are not required externally. This helps avoid attracting unnecessary attention to your servers, and should be done even where firewalls are in place.

A good preinstallation starting point is to have only port 22 open on the server, for inbound ssh connections, to the management port only (if configured). Open ports can be checked using the freely available “netstat” and “nmap” tools.

Administration of a UNIX server requires regular operating system maintenance. Security is an ongoing process. In particular, it is best practice to track vendor patches and to upgrade services that remain exposed to the Internet as soon as new versions with security-related problems are identified. This applies not only to the services that the Traffic Manager is managing, but also to tools installed on Traffic Managers, such as SSH servers used for administration. For most operating systems, including Linux, the kernel itself might require upgrades from time to time as security problems are identified and fixed.