Security Hardening for OS and Web Portal
From TBwiki
(Difference between revisions)
William Wong (Talk | contribs) (→Tsbc) |
(Updated for ProSBC) |
||
(5 intermediate revisions by 3 users not shown) | |||
Line 6: | Line 6: | ||
* Tdev Linux server with (CentOS, RedHat, etc) running Toolpack software | * Tdev Linux server with (CentOS, RedHat, etc) running Toolpack software | ||
* TSBC-SW/TSBC-HW-SRV-HIGH/TSBC-HW-SRV-MID | * TSBC-SW/TSBC-HW-SRV-HIGH/TSBC-HW-SRV-MID | ||
− | |||
= Introduction = | = Introduction = | ||
Line 15: | Line 14: | ||
== Management Port Protection == | == Management Port Protection == | ||
* Keep the management port in a protected environment (behind a firewall). See [[Firewall]]. Note that Mysql port 3306 is for internal use only, this should not be allowed for external access. | * Keep the management port in a protected environment (behind a firewall). See [[Firewall]]. Note that Mysql port 3306 is for internal use only, this should not be allowed for external access. | ||
− | * Iptables could be used to set up rules for management interface to allow only necessary protocols and ports required for access and operation of Telcobridges system. | + | * Iptables could be used to set up rules for management interface to allow only necessary protocols and ports required for access and operation of Telcobridges system. Please check here: [[Centos_syslog_redirect#Firewall_rules_to_the_management_port|Firewall rules on management port]] |
* Other ports do not have access to the OS (unless configured on the web portal). Normally, other ports on the system are configured with services other than management such as OAMP/NAT or FIXED MANAGEMENT. | * Other ports do not have access to the OS (unless configured on the web portal). Normally, other ports on the system are configured with services other than management such as OAMP/NAT or FIXED MANAGEMENT. | ||
− | * For example, Voip0 is configured with SIP and RTP, and this port will care for these specific protocols only and discard the rest of the traffic. | + | ** For example, Voip0 is configured with SIP and RTP, and this port will care for these specific protocols only and discard the rest of the traffic. |
− | * For configuring port IP interface setting and services, see example of [[Toolpack:Configuring VoIP Interfaces D|VOIP port IP interface configuration]] and [[Parameter: Services to use|Services to use]]. | + | ** For configuring port IP interface setting and services, see example of [[Toolpack:Configuring VoIP Interfaces D|VOIP port IP interface configuration]] and [[Parameter: Services to use|Services to use]]. |
* In normal operation, only default Mgmt port, or a dedicated Ethernet port on external host server, should be used for management access. SIP/RTP/SIGTRAN or RADIUS/H248 together or separate, could be used on voip0/voip1/eth0/eth1. | * In normal operation, only default Mgmt port, or a dedicated Ethernet port on external host server, should be used for management access. SIP/RTP/SIGTRAN or RADIUS/H248 together or separate, could be used on voip0/voip1/eth0/eth1. | ||
== SSH Access Security == | == SSH Access Security == | ||
− | * Use a strong password for the SSH access. Default password is | + | * Use a strong password for the SSH access. Default password is a strong password that includes alphanumerical and symbol characters. This password can be chaged: see [[How to change host password on Linux]] |
== CentOS Update for New Packages == | == CentOS Update for New Packages == | ||
− | * Keep system CentOS with database | + | * Keep system CentOS with database and Ruby up to date as needed, using yum update or through web portal by doing upgrade linux packages, see [[Upgrade CentOS]]. |
− | * Telcobridges has adopted a proactive OS update practice that managing Telcobridges repository according to CentOS | + | * Telcobridges has adopted a proactive OS update practice that managing Telcobridges repository according to CentOS announcement. |
− | + | ||
== Web Portal Access Security == | == Web Portal Access Security == | ||
Line 43: | Line 42: | ||
** Password confirmation when creating/editing users | ** Password confirmation when creating/editing users | ||
** Web session auto-logout after a certain amount of time without activity (default 30 mins) | ** Web session auto-logout after a certain amount of time without activity (default 30 mins) | ||
− | + | * See [[Toolpack:System Settings C#Access_and_User_Management|Access and User Management]] for configuration | |
− | = | + | = SBC = |
− | * | + | * FreeSBC and ProSBC products follow the same security hardening practices for ''SSH Access Security'', ''CentOS Update for New Packages'', and ''Web Portal Access Security'' (see [[Toolpack:Tsbc System Settings 3.0|Tsbc System Settings 3.0]]) of Tmedia/Tsig/Tdev above. |
− | * | + | * Web portal (host interfaces), ssh (when enabled and managed by web), SNMP service (host interfaces) are firewall protected within SBC. |
− | * Web portal/SSH/SNMP access ports refer to | + | * Web portal/SSH/SNMP access ports refer to LAN/WAN ports that have device defined for management such as OAMP/NAT or FIXED MANAGEMENT. |
− | * | + | * Physical management port (mgmt) should be used for serial connection or put in a private LAN environment at all times for maintenance purpose only if needed. |
= References = | = References = |
Latest revision as of 16:06, 19 December 2019
Contents |
Applicable Products
- TMG800, TMG3200, TMG7800-CTRL
- TSG800, TSG3200
- Tdev Linux server with (CentOS, RedHat, etc) running Toolpack software
- TSBC-SW/TSBC-HW-SRV-HIGH/TSBC-HW-SRV-MID
Introduction
This page discusses methods for improving overall security of Telcobridges system against unwanted attacks and vulnerabilities with adverse exposure as introduced from internet or connecting to network in general.
Tmedia/Tsig/Tdev
Management Port Protection
- Keep the management port in a protected environment (behind a firewall). See Firewall. Note that Mysql port 3306 is for internal use only, this should not be allowed for external access.
- Iptables could be used to set up rules for management interface to allow only necessary protocols and ports required for access and operation of Telcobridges system. Please check here: Firewall rules on management port
- Other ports do not have access to the OS (unless configured on the web portal). Normally, other ports on the system are configured with services other than management such as OAMP/NAT or FIXED MANAGEMENT.
- For example, Voip0 is configured with SIP and RTP, and this port will care for these specific protocols only and discard the rest of the traffic.
- For configuring port IP interface setting and services, see example of VOIP port IP interface configuration and Services to use.
- In normal operation, only default Mgmt port, or a dedicated Ethernet port on external host server, should be used for management access. SIP/RTP/SIGTRAN or RADIUS/H248 together or separate, could be used on voip0/voip1/eth0/eth1.
SSH Access Security
- Use a strong password for the SSH access. Default password is a strong password that includes alphanumerical and symbol characters. This password can be chaged: see How to change host password on Linux
CentOS Update for New Packages
- Keep system CentOS with database and Ruby up to date as needed, using yum update or through web portal by doing upgrade linux packages, see Upgrade CentOS.
- Telcobridges has adopted a proactive OS update practice that managing Telcobridges repository according to CentOS announcement.
Web Portal Access Security
- One or more user groups can be created to define access rights, such as read only, read/write, or no access at all. Access rights can be assigned to all regions of the web portal or to specific areas. One or more users can be created and given access, which was previously defined by user groups. A user is given a name, a password, and assigned to a user group.
- HTTPS is available from 2.9.41 and onwards. HTTPS provides a secure connection between browser and web server. The connection is encrypted using TLS/SSL.
- Web Portal access security enhancement is available on Toolpack 2.10.19 and onwards
- After a web portal failed login access, it will wait about 2 seconds, to prevent brute force attack on web portal login
- There will be new password complexity requirements such as,
- At least 8 characters total
- At least 1 upper case character
- At least 1 lower case character
- At least 1 number
- At least 1 special character
- User account disabling (there will be a check box to indicate active users account), uncheck it will disable the account
- Password confirmation when creating/editing users
- Web session auto-logout after a certain amount of time without activity (default 30 mins)
- See Access and User Management for configuration
SBC
- FreeSBC and ProSBC products follow the same security hardening practices for SSH Access Security, CentOS Update for New Packages, and Web Portal Access Security (see Tsbc System Settings 3.0) of Tmedia/Tsig/Tdev above.
- Web portal (host interfaces), ssh (when enabled and managed by web), SNMP service (host interfaces) are firewall protected within SBC.
- Web portal/SSH/SNMP access ports refer to LAN/WAN ports that have device defined for management such as OAMP/NAT or FIXED MANAGEMENT.
- Physical management port (mgmt) should be used for serial connection or put in a private LAN environment at all times for maintenance purpose only if needed.