Hadoop HDFS NameNode Metadata Service Port Should Not Be Open

More Info:

Determines if TCP port 8020 for HDFS NameNode metadata service is open to the public.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Hadoop HDFS NameNode Metadata Service Port Should Not Be Open” for GCP using GCP CLI, please follow the below steps:

Open the Cloud Shell from the GCP console.
Run the following command to get the list of all the Compute Engine instances in your project:

gcloud compute instances list

Identify the instance where the Hadoop HDFS NameNode Metadata Service Port is open.
SSH into the instance using the following command:

gcloud compute ssh [INSTANCE_NAME]

Edit the Hadoop configuration file hdfs-site.xml using the following command:

sudo nano /etc/hadoop/conf/hdfs-site.xml

Add the following property to the file:

<property>
  <name>dfs.namenode.rpc-bind-host</name>
  <value>127.0.0.1</value>
</property>

This will bind the Hadoop HDFS NameNode to the loopback IP address and prevent it from being accessible from the network.

Save and exit the file.
Restart the Hadoop HDFS NameNode service using the following command:

sudo systemctl restart hadoop-hdfs-namenode.service

Verify that the Hadoop HDFS NameNode Metadata Service Port is no longer open by running the following command:

sudo lsof -i :8020

This should not return any output.

Exit the SSH session using the following command:

exit

By following these steps, you can remediate the misconfiguration “Hadoop HDFS NameNode Metadata Service Port Should Not Be Open” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Hadoop HDFS NameNode Metadata Service Port Should Not Be Open” on GCP, you can follow the below steps using Python:

First, you need to authenticate with GCP using the Python SDK. You can do this by installing the google-cloud-sdk and running the command gcloud auth application-default login. This will authenticate you with your GCP account.
Next, you need to get a list of all the instances in your GCP project. You can do this by using the google-cloud-sdk command gcloud compute instances list or by using the Python SDK. Here’s the Python code to get a list of all the instances:

from google.cloud import compute_v1

client = compute_v1.InstancesClient()

project = 'your-project-id'

zones = ['us-central1-a', 'us-central1-b', 'us-central1-c']

instances = []

for zone in zones:
    result = client.list(project=project, zone=zone)
    for instance in result:
        instances.append(instance)

Once you have a list of all the instances, you need to check if the Hadoop HDFS NameNode Metadata Service Port is open on any of them. You can do this by using the socket library in Python. Here’s the Python code to check if the port is open:

import socket

def is_port_open(ip, port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        s.connect((ip, port))
        s.shutdown(socket.SHUT_RDWR)
        return True
    except:
        return False
    finally:
        s.close()

port = 8020

for instance in instances:
    ip = instance.network_interfaces[0].network_ip
    if is_port_open(ip, port):
        print(f"Port {port} is open on instance {instance.name}.")

If the Hadoop HDFS NameNode Metadata Service Port is open on any instance, you need to close it. You can do this by creating a firewall rule to block traffic on that port. Here’s the Python code to create a firewall rule:

from google.cloud import compute_v1

client = compute_v1.FirewallsClient()

project = 'your-project-id'

firewall_rule_name = 'block-hadoop-port'

network_name = 'default'

direction = 'INGRESS'

priority = 1000

ip_protocol = 'tcp'

port = 8020

target_tags = ['hadoop']

firewall_rule = {
    'name': firewall_rule_name,
    'network': f'projects/{project}/global/networks/{network_name}',
    'direction': direction,
    'priority': priority,
    'sourceRanges': ['0.0.0.0/0'],
    'targetTags': target_tags,
    'allowed': [{
        'IPProtocol': ip_protocol,
        'ports': [str(port)]
    }]
}

operation = client.insert(project=project, firewall_resource=firewall_rule)

print(f"Created firewall rule {firewall_rule_name}.")

Finally, you need to apply the hadoop tag to all the instances running Hadoop. You can do this by using the Python SDK. Here’s the Python code to apply the tag:

from google.cloud import compute_v1

client = compute_v1.InstancesClient()

project = 'your-project-id'

zones = ['us-central1-a', 'us-central1-b', 'us-central1-c']

tag = 'hadoop'

for zone in zones:
    result = client.list(project=project, zone=zone)
    for instance in result:
        if 'hadoop' in instance.tags.items:
            continue
        instance.tags.items.append(tag)
        operation = client.update(project=project, zone=zone, instance=instance.name, instance_resource=instance)

print(f"Applied tag {tag} to all Hadoop instances.")

By following these steps, you can remediate the misconfiguration “Hadoop HDFS NameNode Metadata Service Port Should Not Be Open” on GCP using Python.

Additional Reading:

https://cloud.google.com/vpc/docs/using-firewalls

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Hadoop HDFS NameNode Metadata Service Port Should Not Be Open

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: