Security Hardening for OS and Web Portal - Revision history

Luc Morissette: Updated for ProSBC

2019-12-19T21:06:40Z

Updated for ProSBC

Cbilodeau: remove TSBC5000

2017-10-19T20:26:54Z

remove TSBC5000

Luc Morissette: Updated some details and links

2017-08-16T20:38:16Z

Updated some details and links

William Wong at 05:43, 24 July 2017

2017-07-24T05:43:25Z

William Wong at 05:41, 24 July 2017

2017-07-24T05:41:02Z

William Wong: /* Tsbc */

2017-07-24T05:15:50Z

Tsbc

William Wong: /* Tsbc */

2017-07-24T05:14:59Z

Tsbc

William Wong: /* Tsbc */

2017-07-24T05:07:31Z

Tsbc

William Wong: /* Tsbc */

2017-07-24T05:01:09Z

Tsbc

William Wong: /* CentOS Update for New Packages */

2017-07-24T04:59:23Z

CentOS Update for New Packages

@@ Line 44: / Line 44: @@
 * See [[Toolpack:System Settings C#Access_and_User_Management|Access and User Management]] for configuration
-= Tsbc =
+= SBC =
-* TSBC products follow the same security hardening practices for ''SSH Access Security'', ''CentOS Update for New Packages'', and ''Web Portal Access Security'' (see [[Toolpack:Tsbc System Settings 3.0|Tsbc System Settings 3.0]]) of Tmedia/Tsig/Tdev above.
+* FreeSBC and ProSBC products follow the same security hardening practices for ''SSH Access Security'', ''CentOS Update for New Packages'', and ''Web Portal Access Security'' (see [[Toolpack:Tsbc System Settings 3.0|Tsbc System Settings 3.0]]) of Tmedia/Tsig/Tdev above.
-* Web portal (host interfaces), ssh (when enabled and managed by web), SNMP service (host interfaces) are firewall protected through tbrouter within TSBC.
+* Web portal (host interfaces), ssh (when enabled and managed by web), SNMP service (host interfaces) are firewall protected within SBC.
-* Web portal/SSH/SNMP access ports refer to LAN/WAN ports that have sevice defined for management such as OAMP/NAT or FIXED MANAGEMENT.
+* Web portal/SSH/SNMP access ports refer to LAN/WAN ports that have device defined for management such as OAMP/NAT or FIXED MANAGEMENT.
 * Physical management port (mgmt) should be used for serial connection or put in a private LAN environment at all times for maintenance purpose only if needed.

@@ Line 6: / Line 6: @@
 * Tdev Linux server with (CentOS, RedHat, etc) running Toolpack software
 * TSBC-SW/TSBC-HW-SRV-HIGH/TSBC-HW-SRV-MID
 = Introduction =

@@ Line 15: / Line 15: @@
 == Management Port Protection ==
 * Keep the management port in a protected environment (behind a firewall). See [[Firewall]]. Note that Mysql port 3306 is for internal use only, this should not be allowed for external access.
-* Iptables could be used to set up rules for management interface to allow only necessary protocols and ports required for access and operation of Telcobridges system.
+* Iptables could be used to set up rules for management interface to allow only necessary protocols and ports required for access and operation of Telcobridges system. Please check here: [[Centos_syslog_redirect#Firewall_rules_to_the_management_port|Firewall rules on management port]]
 * Other ports do not have access to the OS (unless configured on the web portal). Normally, other ports on the system are configured with services other than management such as OAMP/NAT or FIXED MANAGEMENT.
-* For example, Voip0 is configured with SIP and RTP, and this port will care for these specific protocols only and discard the rest of the traffic.
+** For example, Voip0 is configured with SIP and RTP, and this port will care for these specific protocols only and discard the rest of the traffic.
-* For configuring port IP interface setting and services, see example of  [[Toolpack:Configuring VoIP Interfaces D|VOIP port IP interface configuration]] and [[Parameter: Services to use|Services to use]].
+** For configuring port IP interface setting and services, see example of  [[Toolpack:Configuring VoIP Interfaces D|VOIP port IP interface configuration]] and [[Parameter: Services to use|Services to use]].
 * In normal operation, only default Mgmt port, or a dedicated Ethernet port on external host server, should be used for management access. SIP/RTP/SIGTRAN or RADIUS/H248 together or separate, could be used on voip0/voip1/eth0/eth1.
 == SSH Access Security ==
-* Use a strong password for the SSH access. Default password is quite a strong password that including alpanumerical and symbol characters, in lengthy number. See [[How to change host password on Linux]]
+* Use a strong password for the SSH access. Default password is a strong password that includes alphanumerical and symbol characters. This password can be chaged: see [[How to change host password on Linux]]
 == CentOS Update for New Packages ==
-* Keep system CentOS with database /and Ruby up to date as needed, using yum update or through web portal by doing upgrade linux packages, see [[Upgrade CentOS]].
+* Keep system CentOS with database and Ruby up to date as needed, using yum update or through web portal by doing upgrade linux packages, see [[Upgrade CentOS]].
-* Telcobridges has adopted a proactive OS update practice that managing Telcobridges repository according to CentOS annoucement.
+* Telcobridges has adopted a proactive OS update practice that managing Telcobridges repository according to CentOS announcement.
-* Also, on January 27, 2015, a vulnerability named "GHOST" in the glibc library was publicly announced. GHOST is also referred as '''CVE-2015-0235'''. The vulnerability is a buffer overflow in the gethostbyname family of functions that can allow arbitrary code execution. See [[GHOST]] for details on what is affected and update procedure of CentOS 5 from Telcobridges repository.
 == Web Portal Access Security ==
@@ Line 43: / Line 43: @@
 ** Password confirmation when creating/editing users
 ** Web session auto-logout after a certain amount of time without activity (default 30 mins)
-** See [[Toolpack:System Settings C|System Settings 2.10]]
+* See [[Toolpack:System Settings C#Access_and_User_Management|Access and User Management]] for configuration
 = Tsbc =

@@ Line 10: / Line 10: @@
 = Introduction =
 This page discusses methods for improving overall security of Telcobridges system against unwanted attacks and vulnerabilities with adverse exposure as introduced from internet or connecting to network in general.
 = Tmedia/Tsig/Tdev =
@@ Line 45: / Line 44: @@
 ** Web session auto-logout after a certain amount of time without activity (default 30 mins)
 ** See [[Toolpack:System Settings C|System Settings 2.10]]
 = Tsbc =

@@ Line 10: / Line 10: @@
 = Introduction =
 This page discusses methods for improving overall security of Telcobridges system against unwanted attacks and vulnerabilities with adverse exposure as introduced from internet or connecting to network in general.
 = Tmedia/Tsig/Tdev =
@@ Line 44: / Line 45: @@
 ** Web session auto-logout after a certain amount of time without activity (default 30 mins)
 ** See [[Toolpack:System Settings C|System Settings 2.10]]
 = Tsbc =
 * TSBC products follow the same security hardening practices for ''SSH Access Security'', ''CentOS Update for New Packages'', and ''Web Portal Access Security'' (see [[Toolpack:Tsbc System Settings 3.0|Tsbc System Settings 3.0]]) of Tmedia/Tsig/Tdev above.
-* For TSBC, web portal (host interfaces), ssh (when enabled and managed by web), SNMP service (host interfaces) are firewall protected through tbrouter within TSBC.
+* Web portal (host interfaces), ssh (when enabled and managed by web), SNMP service (host interfaces) are firewall protected through tbrouter within TSBC.
 * Web portal/SSH/SNMP access ports refer to LAN/WAN ports that have sevice defined for management such as OAMP/NAT or FIXED MANAGEMENT.
-* TSBC's physical management port (mgmt) should be used for serial connection or put in a private LAN environment for maintenance purpose at all times.
+* Physical management port (mgmt) should be used for serial connection or put in a private LAN environment at all times for maintenance purpose only if needed.
 = References =

@@ Line 48: / Line 48: @@
 * TSBC products follow the same security hardening practices for ''SSH Access Security'', ''CentOS Update for New Packages'', and ''Web Portal Access Security'' (see [[Toolpack:Tsbc System Settings 3.0|Tsbc System Settings 3.0]]) of Tmedia/Tsig/Tdev above.
-* For TSBC, web portal (all host interfaces), ssh (when enabled and managed by web), SNMP service (all host interfaces) are firewall protected through tbrouter within TSBC.
+* For TSBC, web portal (host interfaces), ssh (when enabled and managed by web), SNMP service (host interfaces) are firewall protected through tbrouter within TSBC.
-* Web portal/SSH access ports refer to those LAN/WAN ports that have sevice defined for management such as OAMP/NAT or FIXED MANAGEMENT.
+* Web portal/SSH/SNMP access ports refer to those LAN/WAN ports that have sevice defined for management such as OAMP/NAT or FIXED MANAGEMENT.
 * TSBC's physical management port (mgmt) should be used for serial connection or put in a private LAN environment for maintenance purpose at all times.