FOG combines web UI, PXE/TFTP, NFS, and imaging services. Harden by isolating provisioning networks, restricting web admin access, and protecting image stores.
- Run DHCP/PXE/TFTP services on dedicated imaging VLANs.
- Do not expose FOG PXE services to general production networks.
- Restrict NFS image export to known imaging hosts only.
- Enforce firewall rules around TFTP/NFS/web ports.
- Enforce HTTPS for web UI and API access.
- Restrict admin login by IP/VPN where possible.
- Disable default credentials and enforce strong password policy.
- Limit admin roles and audit image deployment actions.
¶ 3) Protect image integrity and credentials
- Restrict
/images permissions and ownership.
- Use checksums/signatures for golden images.
- Keep DB and API credentials in protected config files only.
- Back up images and DB with encryption and restore tests.
¶ Verification commands
sudo ss -tulpn | grep -E ':80|:443|:69|:2049|:111'
ls -ld /images /images/dev 2>/dev/null
grep -R "FOG_.*PASSWORD\|FOG_.*USER" /opt/fog /var/www/fog/lib/fog 2>/dev/null | head
- FOG project docs/wiki: https://wiki.fogproject.org/
- FOG source repository: https://github.com/FOGProject/fogproject
- FOG release notes: https://github.com/FOGProject/fogproject/releases