How to Override Default Configuration Passwords and Verify Exposed Services
To run a secure system, it's important that you change the default passwords. This page gives a way to randomize passwords.
The configuration repository supplies well known default passwords for services, typically defined in the defaults/main.yml file for any particular role. By convention all such passwords have a name that clearly indicates they are passwords, typically ROLE_PURPOSE_PASSWORD.
You should ensure that these values are overridden if you are deploying a non-development environment. There are real world examples of folks losing their data because they had neither updated default password, nor ensured that access to services was blocked at the network.
Please do both and if you have questions about how to do so, ask on Slack.
Randomly Generated Passwords for New Deployments
One way to ensure that your passwords are overridden is to pass in overrides when you are installing Open edX using Ansible. Ansible lets you pass in a file of overrides using the -e@/path/to/file.yml convention.
As of February 2, 2017, we recommend that you override at least the following values https://raw.githubusercontent.com/edx/configuration/master/playbooks/sample_vars/passwords.yml
That file's contents look like so:
ANALYTICS_API_EMAIL_HOST_PASSWORD: !!null ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: !!null ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: !!null COMMON_HTPASSWD_PASS: !!null COMMON_HTPASSWD_USER: !!null COMMON_MONGO_READ_ONLY_PASS: !!null COMMON_MYSQL_ADMIN_PASS: !!null COMMON_MYSQL_MIGRATE_PASS: !!null COMMON_MYSQL_READ_ONLY_PASS: !!null ...
This can be done easily from the bash command line. Add the content above to a file named passwords.yml and run the following command from the same directory in which you have created the file.
while IFS= read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo "$line" | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml > ./my-passwords.yml
This creates a new file named my-passwords.yml, and its content should look something like the following:
ANALYTICS_API_EMAIL_HOST_PASSWORD: '58Ld0verTyG2M7ht64SzVvMb4rylWXHHzII' ANALYTICS_PIPELINE_OUTPUT_DATABASE_PASSWORD: 'tjX28dM0QhjXgySJ9JLU9io9nckodjxjJmo' ANALYTICS_SCHEDULE_MASTER_SSH_CREDENTIAL_PASSPHRASE: 'kBMlvEUqsaGFDSSzasownyDiXK9tTIcGTdZ' COMMON_HTPASSWD_PASS: 'JKhFjY8SA2LI2GdK8nK0SLM1HgzzFR4cuEb' COMMON_HTPASSWD_USER: '4xLx6FPc8Bni5MUjRbVLzvThERmSO2AIJBZ' COMMON_MONGO_READ_ONLY_PASS: 'UXfWWuXnfSb962jQ1yB4gbPaGRQ0dOZCCYh' COMMON_MYSQL_ADMIN_PASS: 'yxaLDLsZXb4FDAOpj9HD42Sr4UYBLNmLJP2' COMMON_MYSQL_MIGRATE_PASS: 'CXwSNlQ7QtK6al6MXxsrrt12PfQxfs8ydZf' COMMON_MYSQL_READ_ONLY_PASS: 'CBnZ0bxVmGGc7HEQQXWlTUc8C0MbVev6mYU' ...
Keep the my-passwords.yml file in a safe location, ideally encrypted. If you don't have another solution for this, we recommend that you use ansible-vault, which comes with your ansible installation
Starting from a bare Ubuntu Xenial installation, you can follow these steps:
# Ensure your instance is upgraded to the latest Xenial sudo apt-get update -y sudo apt-get upgrade -y reboot # Installed the edx_ansible role wget https://raw.githubusercontent.com/edx/configuration/master/util/install/ansible-bootstrap.sh -O - | sudo bash # Create passwords specific to your installation. Please consider that you'll need to share these across application nodes if you have multiple # The password files will be owned by root. cd /edx/app/edx_ansible/ sudo wget https://raw.githubusercontent.com/edx/configuration/master/playbooks/sample_vars/passwords.yml while IFS= read line; do REPLACE=$(LC_ALL=C < /dev/urandom tr -dc 'A-Za-z0-9' | head -c35) && echo "$line" | sed "s/\!\!null/\'$REPLACE\'/"; done < ./passwords.yml | sudo tee ./my-passwords.yml # Encrypt your environment specific secrets with Ansible vault. This step will prompt you to create a password # for accessing your encrypted data. It is IMPERATIVE that you do not lose or forget this password sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-vault encrypt ./my-passwords.yml # Install the native installation using your encrypted passwords cd /edx/app/edx_ansible/edx_ansible/playbooks/ sudo /edx/app/edx_ansible/venvs/edx_ansible/bin/ansible-playbook -c local ./edx_sandbox.yml -i 'localhost,' -e@/edx/app/edx_ansible/my-passwords.yml --ask-vault-pass
When you build you deployment environment, ensure that you add `-e@/path/to/my-passwords.yml` to your call to ansible-playbook.
Doing this on an already running system is another matter entirely. It's possible, but will require more specific expertise around managing MySQL, MongoDB, RabbitMQ and ElasticSearch
Network Access
We strongly recommend that you review the ports that are exposed on your hosts regularly.
Running the following command from a host that is public from the point of view of your Open edX instance is useful
nmap -Pn -p- edx.mydomain.info
The fewer ports that are open the better. You should be concerned if more than 80 (http), 443 (https) and 22 (ssh) are open. Ideally 22, ssh, would also be limited to networks that you control.