Mender server production security?

I’ve ran through the production install a few times successfully updated clients etc… So I’m interested on keeping it around but I don’t see any information on secureing the production server… I’m new to docker so not sure how vulnerable to attacks they are? After installation on a test server I successful attached clients and pushed updates… I had other things to do 3 days later I seen it was turned off by my vps host do to exceeding the 5000gb limit witch also caused the IP to become banned? I had to destroy the server so I don’t know what caused it. It was a fresh install and had a artifact that was less then 2mb so I figure it must have been hacked… The wierdist thing I ran into was after installing it on a second server with new IP address and a "matching DNS A record " successfully… After a few days the IP address became unreachable(blacklisted)… I figure it must need to have better iptables rules. I know I have sshd locked down good with fail2ban as well . so I assume it must have to do with docker wanting to leave the iptables forwarding to accept all.

any advise for securing iptables ?
Any advise for connecting fail2ban with mender server production logs?

Thx for taking the time to help

Hi @john welcome to Mender Hub.

I’m not able to provide any specific advice on IPTables hopefully others with more expertise can provide some guidance. The Mender Server only needs external connections on ports 443 and 9000 so you can pretty tightly lock the system down if it’s not used for anything else.

There are two sets of polling with devices that happen with Mender. The number of devices in your fleet, the polling intervals set, and the amount of device inventory that is returned will all affect the amount of usage independent of actual OTA deployments. That said, 5000GB seems like an awful lot.

My gut is that something other than Mender is using up your bandwidth but I obviously don’t have any hard data to back that up. Is there anything you can enable on the server to track usage?


Well unfortunately the server was destroyed… I figured mender shouldn’t have caused the 5000gb transfer… So when I get a chance I will share the iptables rules I come up with… Anyone know where the user auth logs for mender production are so fail2ban can scan them?

Wondering if you managed to solve this on your own or if it is still something that you need help with?