More Info:

Determines if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open to the public

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Hadoop HDFS Port Should Not Be Open” for GCP using GCP console, follow the below steps:
  1. Log in to your GCP console (https://console.cloud.google.com/).
  2. Select the project where the Hadoop HDFS port is open.
  3. Click on the “Navigation menu” on the top left corner and select “Compute Engine”.
  4. In the Compute Engine dashboard, click on “VM instances” to see all the instances.
  5. Select the instance where the Hadoop HDFS port is open.
  6. Click on the “Edit” button at the top of the page.
  7. Scroll down to the “Firewall” section and click on “Management, security, disks, networking, sole tenancy”.
  8. In the “Firewall” section, click on “Networking”.
  9. In the “Firewall rules” section, click on the “Edit” button next to the firewall rule that allows the Hadoop HDFS port.
  10. In the “Edit firewall rule” dialog box, change the “Action” to “Deny”.
  11. Click on the “Save” button to save the changes.
  12. Verify that the Hadoop HDFS port is no longer open by running a port scan on the instance.
By following these steps, you have successfully remediated the misconfiguration “Hadoop HDFS Port Should Not Be Open” for GCP using GCP console.

To remediate the misconfiguration “Hadoop HDFS Port Should Not Be Open” for GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell from the GCP console.
  2. Run the following command to list all the instances in your project: 
    gcloud compute instances list
  3. Identify the instance that has the Hadoop HDFS port open.
  4. Run the following command to SSH into the instance: 
    gcloud compute ssh [INSTANCE_NAME]
    Replace [INSTANCE_NAME] with the name of the instance.
  5. Once you are logged in to the instance, run the following command to stop the Hadoop HDFS service: 
    sudo systemctl stop hadoop-hdfs-datanode
  6. Run the following command to disable the Hadoop HDFS service: 
    sudo systemctl disable hadoop-hdfs-datanode
  7. Edit the Hadoop HDFS configuration file to remove the port configuration. The configuration file is usually located at /etc/hadoop/conf/hdfs-site.xml.
  8. Save the changes and exit the editor.
  9. Run the following command to start the Hadoop HDFS service: 
    sudo systemctl start hadoop-hdfs-datanode
  10. Finally, run the following command to enable the Hadoop HDFS service to start automatically on boot: 
    sudo systemctl enable hadoop-hdfs-datanode
  11. Exit the SSH session by running the following command: 
    exit
With these steps, you have successfully remediated the misconfiguration “Hadoop HDFS Port Should Not Be Open” for GCP using GCP CLI.
To remediate the Hadoop HDFS port being open in GCP using Python, follow these steps:
  1. Open the Google Cloud Console and navigate to the project that has the misconfiguration.
  2. Select the Compute Engine service from the left-hand menu.
  3. Select the VM instance that has the Hadoop HDFS port open.
  4. Click on the Edit button at the top of the page.
  5. Scroll down to the Firewall section and click on it.
  6. Click on the Add Firewall Rule button.
  7. In the Name field, enter a name for the firewall rule (e.g., “block-hadoop-hdfs-port”).
  8. In the Targets field, select the VM instance that has the Hadoop HDFS port open.
  9. In the Source IP ranges field, enter the IP addresses or ranges that should be blocked from accessing the Hadoop HDFS port. For example, you can enter “0.0.0.0/0” to block all IP addresses.
  10. In the Protocols and ports field, select “Specified protocols and ports” and enter the port number for the Hadoop HDFS port (default is 9000).
  11. Click on the Create button to create the firewall rule.
Once the firewall rule is created, it will block all incoming traffic to the Hadoop HDFS port from the specified IP addresses or ranges. This will remediate the misconfiguration and prevent unauthorized access to the Hadoop HDFS port.

Additional Reading: