Administration Guides

Eyeglass & Search & Recover Security Hardening Guide

Home



Abstract:

This technical note provides a guide to security hardening for the Eyeglass Appliance


Securing Eyeglass 

  1. Before scanning the appliance with security tools the following steps must be taken:
    1. Upgrade to the latest OVA operating system using backup and restore to get web server configured with default hardening.  Upgrade guide.  Follow the backup and restore steps.
    2. Patch the operating system (Requires internet access to the appliance to reach OS internet repositories)
      1. login to eyeglass as admin user
      2. sudo -s  (enter admin password)
      3. zypper refresh  (updates repositories)
      4. zypper update  (applies patches)
      5. Review any messages that indicate a reboot is required to have the update take effect
    3. Use Eyeglass service account and review all information to make sure permissions are up to date 
      1. Reference: Isilon Cluster User Minimum Privileges for Eyeglass

    Web Server HTTP Hardening Directives for Eyeglass and Search & Recover

    1. This section has specific web server directivies that address specific hardening http header responses
    2. Eyeglass WebUI
      1. For Eyeglass lighttpd HEADER fix
      2. login as admin
      3. sudo -s (enter admin password)
      4. vim /etc/lighttpd/lighttpd.conf
        1. Add the following inside SERVER 443 block and save the file with :wq
          "Strict-Transport-Security" => "max-age=15768000",
          "Content-Security-Policy" => "frame-ancestors 'self';",
          "X-Content-Type-Options" => "nosniff",
          "X-Frame-Options" => "DENY",
          "X-XSS-Protection" => "1; mode=block"

        2. systemctl restart lighttpd.service


        3. Verify with Google Chrome Developer tools

    3. Search & Recover Web UI
      1. Login to Search & Recover over ssh as ecaadmin
      2. vim /opt/superna/eca/conf/nginx/eca.conf
      3. Add the following inside server 443 block
        1. add_header Strict-Transport-Security "max-age=15768000";
          add_header Content-Security-Policy "frame-ancestors 'self';";
          add_header X-Content-Type-Options "nosniff";
          add_header X-Frame-Options "DENY";
          add_header X-XSS-Protection "1; mode=block";
          ssl_protocols TLSv1.2 TLSv1.3;


      4. Push the config to all nodes
        1. ecactl cluster push-config
      5. Restart containers to read the new configuration
        1. ecactl cluster exec "ecactl containers restart nginx"
      6. Verify with Google Chrome developer tools
      7. Done






    Hardening Password Complexity

    Follow these steps to enable local password complexity of the builtin users admin, auditor and rwdefend. NOTE:  These settings only apply to the local OS users, if using RBAC proxy login to Isilon or AD use the password features  of the Isilon or AD to setup password complexity.

    To set these password rules the - (minus number) means MUST have in the password.  Use the definitions below to customize the example provided.

    • Minimum password length should be x characters 
      • value minlen 
    • Password should have one UPPERCASE Character
      • value ucredit 
    • Password should have one LOWERCASE Character
      • value lcredit 
    • Password should have one Numeric Character
      • value dcredit 
    • Password should have Special characters
      • value ocredit 
    • Minimum Passwords to Remember or Password History 
      • value pwhistory-remember 
    • Accounts should be lockout after bad login attempts, see next section that blocks the source ip of the machine after failed local logins using fail 2 ban and firewall rules.



    1. login as admin
    2. sudo -s
    3. enter admin password
    4. zypper install pam-modules  (this requires internet access to install additional pam modules)
    5. Answer yes to install new modules
    6. cd /etc/pam.d/
    7. cp common-password common-password.bak  (backup old password file rules)
    8. pam-config -a --cracklib --cracklib-minlen=6 --cracklib-lcredit=-1 --cracklib-ucredit=-1 --cracklib-dcredit=-1 --cracklib-ocredit=-1 --pwhistory --pwhistory-use_authtok --pwhistory-remember=3
      1. See definitions above for each value to customize
      2. This will generate a new common-password file
      3. When users try to change passwords they will require a password that matches these rules. NOTE the root user can set a password for a user account that does not match these rules.



    Banning local user accounts after repeated failed login attempts

    The appliance has several local users admin, auditor, and rwdefend used for builtin roles for different products. NOTE: the root user password is randomized and sudo access to root should be used and leave the password randomized.

    To ban users that attempt brute force login attempts the following appliance enhancement allows control of lockouts and timed locked outs.  This will setup firewall rules to block the ip of the user.   The blocked login will cover ssh access and https to the WebUI.  NOTE:  If proxy login is used to AD or Isilon local users, using the RBAC features, these users will also be banned as well.


    1. Login as admin 
    2. sudo -s
    3. enter admin password
    4. zypper install fail2ban  (requires Internet access to the appliance)
    5. systemctl start fail2ban


    Configuration Steps

    Highlevel:

    • modified /etc/fail2ban/jail.conf [added 'eyeglass' section]
    • enabled eyeglass filtering from /etc/fail2ban/jail.local
    • added 'eyeglass' custom filter file in /etc/fail2ban/filter.d/ directory
    1. vim /etc/fail2ban/filter.d/eyeglass.conf     (add the contents below to the file and save the file with :wq)
      1. # Fail2ban filter for Superna Eyeglass
        #
        #

        [INCLUDES]

        before = common.conf

        [Definition]

        failregex = <HOST> \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - \[.* "POST /RestClient/login/login HTTP/1.1" 500

        ignoreregex =
    2. vim /etc/fail2ban/jail.local
      1. add The following to this file
        1. [DEFAULT]
          ignoreip = 127.0.0.1/8
          bantime = 300
          findtime = 300
          maxretry = 3

          [sshd]
          enabled = true

          [eyeglass]
          enabled = true

      2. Modify /etc/fail2ban/filter.d/sshd.conf file
        1. sed -e /'spam_unix/s/^/#/g' -i /etc/fail2ban/filter.d/sshd.conf
      3. Modify /etc/fail2ban/jail.conf to add eyeglass jail rule
        1. sed -i "/HTTP servers/a[eyeglass]\n \nport = http,https\nlogpath = /var/log/lighttpd/access.log" /etc/fail2ban/jail.conf
      4. restart the service
        1. systemctl restart fail2ban
        2. check status 
        3. systemctl status fail2ban
      5. Optional - Find bantime and change default from 300 seconds to a value that meets your requirements
      6. Optional - Find findtime and change default from 600 to a value that meets your requirements (A host is banned if it has generated "maxretry" during the last "findtime")
      7. Optional -  Find maxretry and change default from 3 to a value that meets your requirements
    3. Save the file after changes :wq
    4. done.




    Copyright Superna LLC