Security Hardening for OS and Web Portal

From TBwiki
(Difference between revisions)
Jump to: navigation, search
(Management Port Protection)
(Management Port Protection)
Line 11: Line 11:
  
 
= Management Port Protection =
 
= Management Port Protection =
* Keep the management port in a protected environment (behind a firewall).  
+
* Keep the management port in a protected environment (behind a firewall). See [[Firewall]]. Note that Mysql port 3306 is for internal use only, this should not be allowed for external access.
 
* Other ports do not have access to the OS (unless configured on the web portal). Normally, other ports on the system are configured with services other than management, that is, OAMP/NAT or FIXED MANAGEMENT  
 
* Other ports do not have access to the OS (unless configured on the web portal). Normally, other ports on the system are configured with services other than management, that is, OAMP/NAT or FIXED MANAGEMENT  
 
* For example, Voip0 is configured with SIP and RTP and this port will care for these specific protocols only and discard the rest of the traffic.  
 
* For example, Voip0 is configured with SIP and RTP and this port will care for these specific protocols only and discard the rest of the traffic.  
 
* For configuring port IP interface setting and services, see example of  [[Toolpack:Configuring VoIP Interfaces D|VOIP port IP interface configuration]] and [[Parameter: Services to use|Services to use]].  
 
* For configuring port IP interface setting and services, see example of  [[Toolpack:Configuring VoIP Interfaces D|VOIP port IP interface configuration]] and [[Parameter: Services to use|Services to use]].  
* In normal operation, only default Mgmt port,or a dedicated Ethernet port on external host server, should be used for management access. SIP/RTP/SIGTRAN/RADIUS/H248 together or separate, could be used on voip0/voip1/eth0/eth1
+
* In normal operation, only default Mgmt port, or a dedicated Ethernet port on external host server, should be used for management access. SIP/RTP/SIGTRAN/RADIUS/H248 together or separate, could be used on voip0/voip1/eth0/eth1
 +
* For TSBC, web portal (all host interfaces), ssh (when enabled and managed by web), SNMP service (all host interfaces) are firewall protected within TSBC
  
 
= SSH Access Security =
 
= SSH Access Security =

Revision as of 03:18, 11 July 2017


Contents

Applicable Products

  • TSBC
  • TMG800, TMG3200, TMG7800-CTRL
  • TSG800, TSG3200
  • Tdev Linux server with (CentOS, RedHat, etc) running Toolpack software

Introduction

This page discusses some means for improving the overall security of Telcobridges system against unwanted attacks and vulnerabilities with adverse exposure as introduced from internet or connecting to network in general.

Management Port Protection

  • Keep the management port in a protected environment (behind a firewall). See Firewall. Note that Mysql port 3306 is for internal use only, this should not be allowed for external access.
  • Other ports do not have access to the OS (unless configured on the web portal). Normally, other ports on the system are configured with services other than management, that is, OAMP/NAT or FIXED MANAGEMENT
  • For example, Voip0 is configured with SIP and RTP and this port will care for these specific protocols only and discard the rest of the traffic.
  • For configuring port IP interface setting and services, see example of VOIP port IP interface configuration and Services to use.
  • In normal operation, only default Mgmt port, or a dedicated Ethernet port on external host server, should be used for management access. SIP/RTP/SIGTRAN/RADIUS/H248 together or separate, could be used on voip0/voip1/eth0/eth1
  • For TSBC, web portal (all host interfaces), ssh (when enabled and managed by web), SNMP service (all host interfaces) are firewall protected within TSBC

SSH Access Security

Use a strong password for the SSH access. Default password is a quite strong password that including alpanumerical and symbol characters, etc. in lengthly number.

CentOS Update for New Packages

  • Keep system CentOS with database /and Ruby up to date as needed, using yum update or through web portal by doing upgrade linux packages, see Upgrade CentOS.
  • Telcobridges has adopted a proactive OS update practice and managing Telcobridges repository according to CentOS annoucement.
  • Also, on January 27, 2015, a vulnerability named "GHOST" in the glibc library was publicly announced. GHOST is also referred as CVE-2015-0235. The vulnerability is a buffer overflow in the gethostbyname family of functions that can allow arbitrary code execution. See GHOST for details on what is affected and update procedure of CentOS 5 from Telcobridges repository.

Web Portal Access Security

Web Portal access security enhancement is available on Toolpack 2.10.19 and onwards

  • After a web portal failed login access, it will wait about 2 seconds, to prevent brute force attack on web portal login
  • There will be new password complexity requirements such as,
    • At least 8 characters total
    • At least 1 upper case character
    • At least 1 lower case character
    • At least 1 number
    • At least 1 special character
  • User account disabling (there will be a check box to indicate active users account), uncheck it will disable the account
  • Password confirmation when creating/editing users
  • Web session auto-logout after a certain amount of time without activity (default 30 mins)


References

Personal tools