1. Home
  2. Docs
  3. ClusterControl
  4. Administration
  5. Securing ClusterControl

Securing ClusterControl

Firewall and Security Group

Depending on the deployment options, ClusterControl might disable firewalls to minimize the possibilities of failure during the cluster deployment. Once the process is completed, it is important to secure the ClusterControl node and the database cluster. We recommend users to isolate their database infrastructure from the public Internet and just whitelist the known hosts or networks to connect to the database cluster.

ClusterControl requires ports used by the following services to be opened/enabled:

  • ICMP (echo reply/request)
  • SSH (default is 22)
  • HTTP (default is 80)
  • HTTPS (default is 443)
  • MySQL (default is 3306)
  • CMON RPC (default is 9500)
  • CMON RPC-TLS (default is 9501)
  • CMON Events (default is 9510)
  • CMON SSH (default is 9511)
  • CMON Cloud (default is 9518)
  • Streaming port for database backup through netcat/socat (default is 9999)


SSH is very critical for ClusterControl. It must be possible to SSH from the ClusterControl server to the other nodes in the cluster without a password, thus the database nodes must accept the SSH port configured in the CMON configuration file. Following best practices are recommended:

  • Permit very few people in the organization to access the servers. The fewer the better.
  • Lockdown SSH access so it is not possible to SSH into the nodes from any other server than the ClusterControl server.
  • Lockdown the ClusterControl server so that it is not possible to SSH into it directly from the outside world.

File Permission

CMON configuration and log files contain sensitive information e.g mysql_password or sudo where it stores the user’s password. Ensure the CMON configuration file, e.g /etc/cmon.cnf and /etc/cmon.d/cmon_{clusterid}.cnf (if exists) have permission 700 while CMON log files, e.g /var/log/cmon.log and /var/log/cmon_{clusterid}.log has 740 and both are owned by root.


By default, the installation script installs and configures a self-signed certificate for ClusterControl UI. You can access it by pointing your browser to https://{ClusterControl_host}/clustercontrol. If you would like to use your own SSL certificate (e.g https://secure.yourdomain.com/clustercontrol), just replace the key and certificate path inside Apache’s SSL configuration file and restart Apache daemon. Make sure the server’s hostname matches with the SSL Common Name that you would like to use.

Was this article helpful to you? Yes No