Before moving to production¶
When testing is finished, before moving server to production, it is necessary to check and do the following:
1. Disable web interface if there's no plan to use it
2. Make sure that admin and demo users default passwords are changed to more secure
3. Expand media ports range, check if this range is not interferring with another server ports
4. Check Linux dynamic ports range and change it if necessary
5. Set up firewall by opening ports needed only:
-
iptables
??? example "iptables setup script example"
#!/bin/bash # export IPT="iptables" # WAN interface export WAN=eth0 # Clean iptables chains $IPT -F $IPT -F -t nat $IPT -F -t mangle $IPT -X $IPT -t nat -X $IPT -t mangle -X # Set default policy $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT # Allow loopback traffic $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT # Allow outgoing connections $IPT -A OUTPUT -o $WAN -j ACCEPT # Set up already initiated connections rules $IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT # Drop all invalid packets $IPT -A INPUT -m state --state INVALID -j DROP $IPT -A FORWARD -m state --state INVALID -j DROP $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP $IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP # Allow pings $IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Open SSH port $IPT -A INPUT -p tcp --dport 22 -j ACCEPT # Open WCS ports $IPT -A INPUT -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -j ACCEPT $IPT -A INPUT -p tcp --dport 8888 -j ACCEPT $IPT -A INPUT -p tcp --dport 8443 -j ACCEPT $IPT -A INPUT -p tcp --dport 1935 -j ACCEPT $IPT -A INPUT -p udp --dport 1935 -j ACCEPT $IPT -A INPUT -p tcp --dport 554 -j ACCEPT $IPT -A INPUT -p tcp --dport 8080 -j ACCEPT $IPT -A INPUT -p tcp --dport 8081 -j ACCEPT $IPT -A INPUT -p tcp --dport 8084 -j ACCEPT $IPT -A INPUT -p tcp --dport 8082 -j ACCEPT $IPT -A INPUT -p tcp --dport 8445 -j ACCEPT $IPT -A INPUT -p tcp --dport 8444 -j ACCEPT $IPT -A INPUT -p tcp --dport 20001:40000 -j ACCEPT $IPT -A INPUT -p udp --dport 20002:40000 -j ACCEPT $IPT -A INPUT -j DROP $IPT -A FORWARD -j DROP # Store rules to the file /sbin/iptables-save > /etc/sysconfig/iptables -
firewalld
??? example "firewalld setup script example"
#!/bin/bash # systemctl start firewalld firewall-cmd --permanent --zone=public --add-port=8888/tcp firewall-cmd --permanent --zone=public --add-port=8443/tcp firewall-cmd --permanent --zone=public --add-port=1935/tcp firewall-cmd --permanent --zone=public --add-port=1935/udp firewall-cmd --permanent --zone=public --add-port=554/tcp firewall-cmd --permanent --zone=public --add-port=8080/tcp firewall-cmd --permanent --zone=public --add-port=8081/tcp firewall-cmd --permanent --zone=public --add-port=8084/tcp firewall-cmd --permanent --zone=public --add-port=8082/tcp firewall-cmd --permanent --zone=public --add-port=8445/tcp firewall-cmd --permanent --zone=public --add-port=8444/tcp firewall-cmd --permanent --zone=public --add-port=34001-35000/tcp firewall-cmd --permanent --zone=public --add-port=30000-33000/udp firewall-cmd --permanent --zone=public --add-port=30000-33000/tcp firewall-cmd --reload
6. Adjust maximum number of files opened
7. Check REST client setup
8. Disable client logs
9. Decrease server log output in log4j.properties file
10. Clean up server logs
11. Check Java heap memory volume
12. Update JDK to 14 or above and set up ZGC garbage collector
13. Set up jemalloc library usage to allocate native memory (not Java heap)