Security Protection
To ensure system security, please pay close attention to and implement the following points. ⚠️⚠️⚠️
Limit unnecessary access
Limit unnecessary access to ensure server security.
The HAP system deployment relies on a management tool that listens on port 38881 by default. This port is used for initial installation and provides functions like online upgrades and system restarts. Generally, except for system administrators, port 38881 should not be accessed by others. Therefore, after deployment, it is recommended to set an access policy for port 38881.
If external client software needs to connect to and access the storage components, ensure that exposed ports are controlled via a whitelist, especially in cases where cloud servers are deployed. Exposing commonly used ports (e.g., MySQL: 3306, MongoDB: 27017) to the internet, combined with weak passwords, can make the system highly insecure. In such cases, not only is data leakage likely, but the system is also vulnerable to hacker attacks. Hackers may delete database data (often leaving a README file asking for payment to recover the data).
Use Strong Passwords
Regularly change complex passwords to prevent them from being cracked.
This applies to server authentication passwords and those used to connect to storage components, such as MySQL, MongoDB, Redis, etc. It is also important to strengthen protection for any externally exposed ports. In single-node deployment mode, refer to the Database Strong Password Configuration for guidance.
Encrypt Data
Enable HTTPS and other encryption protocols to prevent data from being intercepted during transmission.
Regular Backups
Automate the backup of system data to ensure it is recoverable and to prevent data loss.
In single-node deployment mode, refer to HAP's backup method for backup procedures. Additionally, it is recommended to take regular snapshots of the server.
In cluster deployment mode, regularly back up the data directories of both the data storage servers and middleware servers. It is also recommended to take regular snapshots of these servers. If the system is deployed by the HAP implementation team, the delivery documentation provided by HAP will specify the data directories.
Vulnerability Patching
Update the system promptly and regularly apply patches to reduce security risks.
Monitoring and Alerts
Configure anomaly detection and alerting systems to promptly detect potential threats and take necessary actions.
DDoS Protection
If possible, enable DDoS protection to prevent malicious traffic attacks, ensuring better business continuity.