[-]
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 [+]
  
  
  
  
  
  
 [+]
  
  
  
[+]
[+]
[+]
[+]
[+]
[+]
[+]
[+]
[+]
Updated on 8/16/2019
Eyeglass Administration guides Publication
Eyeglass Appliance Security Hardening Guide
Direct link to topic in this publication:
Home

Eyeglass Appliance Security Hardening Guide



Abstract:

This technical note provides a guide to security hardening for the Eyeglass Appliance

 

Eyeglass Service Account

Use the Eyeglass service account when adding the Isilon clusters to Eyeglass.

Reference: Isilon Cluster User Minimum Privileges for Eyeglass

Security Vulnerability: TLS Server supports TLSv1.0 and SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)

NOTE: New appliances already the latest security settings and a backup restore to a new appliance version will make this much simplier.  Download the latst appliances and then backup the current appliance and restore to the new one.  This will also ensure more recent security updates are in the OS and all hardening is applied for protocols.

Mitigation 1: SSLv2 and SSLv3 disabled for lighttpd (default setting)

Mitigation 2: Disable TLS1.0 and 1.1 for lighttpd by following the steps below:

  1. ssh to Eyeglass Appliance as admin user
  2. Type admin password (default password: 3y3gl4ss)
  3. sudo su - (Syntax: sudo<space>su<space>-)
  4. Type admin password (default password: 3y3gl4ss)
  5. edit /etc/lighttpd/lighttpd.conf

on line 426, you will see:

 ssl.cipher-list             = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"

replace this cipher list with the one below

ssl.cipher-list = "TLSv1.2:!aNULL:!eNULL:!DSS"

  1. Press Esc key and :wq! to save the changes.
  2. Run this command: “systemctl restart lighttpd”
  3. Done

Mitigation 3: Disable TLS1.0 and 1.1 and SSLv2 and SSLv3 for websockets (port 2011 and port 2012) by following the steps below:

  1. ssh to Eyeglass Appliance as admin user
  2. Type admin password (default password: 3y3gl4ss)
  3. sudo su - (Syntax: sudo<space>su<space>-)
  4. Type admin password (default password: 3y3gl4ss)
  5. edit /opt/superna/java/jre1.8.0_05/lib/security/java.security

On line 518, you will see:

        #   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048

        Replace this with one below:

        jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048, SSLv2Hello, SSLv3, TLSv1, TLSv1.1

  1. Press Esc key and :wq! to save the changes.
  2. Type this command to restart the Eyeglass service: systemctl restart sca
  3. Done

Security Vulnerability: OpenSSH X11 Command Injection Vulnerability

Mitigation: Upgrade OpenSSH_6.6.1p1 to OpenSSH-7.2.p2-by following the steps below.

This guide will  address the “Security Vulnerability: OpenSSH X11 Command Injection Vulnerability” issue on OpenSuse 13.2

Reference: CVE ID: CVE-2016-3115

If your Eyeglass Appliance is connected directly to the internet, please follow the Online upgrade guide, or else follow the Offline upgrade guide.


FOR ONLINE OpenSSH Upgrade:



IMPORTANT: Please take a “vCenter” snapshot of your current Eyeglass Appliance before conducting the openSSH Package upgrade.

  1. ssh to Eyeglass Appliance as admin user
  2. Type admin password (default password: 3y3gl4ss)
  3. sudo su - (Syntax: sudo<space>su<space>-)
  4. Type admin password (default password: 3y3gl4ss)
  5. Run “ssh -V” to determine your openSSH package version
    [Following upgrade procedure is applied to openSSH_6.6.1p1 → 7.2p2]
  6. Install “wget” to securely copy the RPM file on to your Eyeglass Appliance
    zypper install wget

  7. Download the latest openSSH community build [openSSH-7.2-p2-142.4.x86_64.rpm] for our OS using “wget”.
    wget” http://download.opensuse.org/repositories/network/openSUSE_13.2/x86_64/openssh-7.2p2-142.4.x86_64.rpm

  8. Change permission of the RPM file to 700.
  9. Upgrade the current version of openSSH from openSSH_6.6.1p1 → 7.2p2 by running the command:
    rpm -Uvh openssh-7.2p2-142.4.x86_64.rpm

    [above command will upgrade openSSH package. It is IMPORTANT to check connectivity after upgrading]
  10. Run “systemctl status sshd” to ensure sshd service is up and running 
  11. Check the version of SSH after upgrading:
    ssh -V
  12. IMPORTANT: Use another putty session to login to your Eyeglass appliance and check SSH connectivity. Also, login to your Eyeglass appliance from clusters using SSH tunnel to ensure application integrity.


i.e.: In the screenshot, we are trying to SSH to our Eyeglass appliance from oneFS cluster. IP:172.16.85.176 is our Eyeglass appliance IP.


FOR OFFLINE OpenSSH Upgrade:

IMPORTANT: Please take a “vCenter” snapshot of your current Eyeglass Appliance before conducting the openSSH Package upgrade.


  1. Browse to the following website and download the appropriate RPM package for openSSH7.2:
    [http://download.opensuse.org/repositories/network/openSUSE_13.2/x86_64/]

    You will be presented with a list of available RPM. Click on the .rpm file you want to download. In our case, we downloaded the openssh-7.2p2-142.4.x86_64.rpm

  2. If you are using “Windows” OS, typically the file will be download in “C:\users\xxx\Downloads” folder.
  3. Download “WinSCP” and copy the RPM file over to your Eyeglass Appliance. Our dir location “/home/admin
  4. Change file permission by right click on the .rpm file. Then go to properties.



  1. Set the file permission to 0700

  2. ssh to Eyeglass Appliance as admin user
  3. Type admin password (default password: 3y3gl4ss)
  4. sudo su - (Syntax: sudo<space>su<space>-)
  5. Type admin password (default password: 3y3gl4ss)
  6. Browse to “/home/admin” [where you saved the .rpm file] and upgrade the current version of openSSH from openSSH_6.6-1p1 → 7.2p2 by running the command:
    rpm -Uvh openssh-7.2p2-142.4.x86_64.rpm


    [above command will upgrade openSSH package. It is IMPORTANT to check connectivity after upgrading]
  7. Run “systemctl status sshd” to ensure sshd service is up and running 
  8. Check the version of SSH after upgrading:
    ssh -V
  1. IMPORTANT: Use another putty session to login to your Eyeglass appliance and check SSH connectivity. Also, login to your Eyeglass appliance from clusters using SSH tunnel to ensure application integrity. 

    i.e.: In the screenshot, we are trying to SSH to our Eyeglass appliance from oneFS cluster. IP:172.16.85.176 is our Eyeglass appliance IP.

Eyeglass with OpenSuse 42.3


CVE

Description

Eyeglass OpenSuse 42.3

Status

NTP

CVE-2016-7429

NTP before 4.2.8p9 changes the peer structure to the interface it receives the response from a source, which allows remote attackers to cause a denial of service (prevent communication with a source) by sending a response for a source to an interface the source does not use.

4.2.8p10-30.1

OK

Reference: https://www.suse.com/security/cve/CVE-2016-7429/

CVE-2016-7431

NTP before 4.2.8p9 allows remote attackers to bypass the origin timestamp protection mechanism via an origin timestamp of zero. NOTE: this vulnerability exists because of a CVE-2015-8138 regression.

4.2.8p10-30.1

OK

Reference:

https://www.suse.com/security/cve/CVE-2016-7431/

CVE-2016-7433

NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion."

4.2.8p10-30.1

OK

Reference:

https://www.suse.com/security/cve/CVE-2016-7433/

CVE-2016-7434

The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.

4.2.8p10-30.1

OK

Reference:

https://www.suse.com/security/cve/CVE-2016-7434/

CVE-2016-9310

The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet

4.2.8p10-30.1

OK.

Reference:

https://www.suse.com/security/cve/CVE-2016-9310/

SSH

CVE-2016-10012

The shared memory manager (associated with pre-authentication compression) in sshd in OpenSSH before 7.4 does not ensure that a bounds check is enforced by all compilers, which might allows local users to gain privileges by leveraging access to a sandboxed privilege-separation process, related to the m_zback and m_zlib data structures.

7.2p2-13.1

OK (patch is included in 42.3)

https://www.suse.com/security/cve/CVE-2016-10012/

CVE-2016-10011

authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.

7.2p2-13.1

OK (patch is included in 42.3)

https://www.suse.com/security/cve/CVE-2016-10011/

CVE-2016-10010

sshd in OpenSSH before 7.4, when privilege separation is not used, creates forwarded Unix-domain sockets as root, which might allow local users to gain privileges via unspecified vectors, related to serverloop.c.

7.2p2-13.1

OK (patch is included in 42.3)

https://www.suse.com/security/cve/CVE-2016-10010/

CVE-2016-10009

Untrusted search path vulnerability in ssh-agent.c in ssh-agent in OpenSSH before 7.4 allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket.

7.2p2-13.1

OK (patch is included in 42.3)

https://www.suse.com/security/cve/CVE-2016-10009/





Hardening Password Complexity

Follow these steps to enable local password complexity of the builtin users admin, auditor and rwdefend. NOTE:  These settings only apply to the local OS users, if using RBAC proxy login to Isilon or AD use the password features  of the Isilon or AD to setup password complexity.

To set these password rules the - (minus number) means MUST have in the password.  Use the definitions below to customize the example provided.

  • Minimum password length should be x characters 
    • value minlen 
  • Password should have one UPPERCASE Character
    • value ucredit 
  • Password should have one LOWERCASE Character
    • value lcredit 
  • Password should have one Numeric Character
    • value dcredit 
  • Password should have Special characters
    • value ocredit 
  • Minimum Passwords to Remember or Password History 
    • value pwhistory-remember 
  • Accounts should be lockout after bad login attempts, see next section that blocks the source ip of the machine after failed local logins using fail 2 ban and firewall rules.



  1. login as admin
  2. sudo -s
  3. enter admin password
  4. zypper install pam-modules  (this requires internet access to install additional pam modules)
  5. Answer yes to install new modules
  6. cd /etc/pam.d/
  7. cp common-password common-password.bak  (backup old password file rules)
  8. pam-config -a --cracklib --cracklib-minlen=6 --cracklib-lcredit=-1 --cracklib-ucredit=-1 --cracklib-dcredit=-1 --cracklib-ocredit=-1 --pwhistory --pwhistory-use_authtok --pwhistory-remember=3
    1. See definitions above for each value to customize
    2. This will generate a new common-password file
    3. When users try to change passwords they will require a password that matches these rules. NOTE the root user can set a password for a user account that does not match these rules.



Banning local user accounts after repeated failed login attempts

The appliance has several local users admin, auditor, and rwdefend used for builtin roles for different products. NOTE: the root user password is randomized and sudo access to root should be used and leave the password randomized.

To ban users that attempt brute force login attempts the following appliance enhancement allows control of lockouts and timed locked outs.  This will setup firewall rules to block the ip of the user.   The blocked login will cover ssh access and https to the WebUI.  NOTE:  If proxy login is used to AD or Isilon local users, using the RBAC features, these users will also be banned as well.


  1. Login as admin 
  2. sudo -s
  3. enter admin password
  4. zypper install fail2ban  (requires Internet access to the appliance)
  5. systemctl start fail2ban


Configuration Steps

Highlevel:

  • modified /etc/fail2ban/jail.conf [added 'eyeglass' section]
  • enabled eyeglass filtering from /etc/fail2ban/jail.local
  • added 'eyeglass' custom filter file in /etc/fail2ban/filter.d/ directory
  1. vim /etc/fail2ban/filter.d/eyeglass.conf     (add the contents below to the file and save the file with :wq)
    1. # Fail2ban filter for Superna Eyeglass
      #
      #

      [INCLUDES]

      before = common.conf

      [Definition]

      failregex = <HOST> \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b - \[.* "POST /RestClient/login/login HTTP/1.1" 500

      ignoreregex =
  2. vim /etc/fail2ban/jail.local
    1. add The following to this file
      1. [DEFAULT]
        ignoreip = 127.0.0.1/8
        bantime = 300
        findtime = 300
        maxretry = 3

        [sshd]
        enabled = true

        [eyeglass]
        enabled = true

    2. Modify /etc/fail2ban/filter.d/sshd.conf file
      1. sed -e /'spam_unix/s/^/#/g' -i /etc/fail2ban/filter.d/sshd.conf
    3. Modify /etc/fail2ban/jail.conf to add eyeglass jail rule
      1. sed -i "/HTTP servers/a[eyeglass]\n \nport = http,https\nlogpath = /var/log/lighttpd/access.log" /etc/fail2ban/jail.conf
    4. restart the service
      1. systemctl restart fail2ban
      2. check status 
      3. systemctl status fail2ban
    5. Optional - Find bantime and change default from 300 seconds to a value that meets your requirements
    6. Optional - Find findtime and change default from 600 to a value that meets your requirements (A host is banned if it has generated "maxretry" during the last "findtime")
    7. Optional -  Find maxretry and change default from 3 to a value that meets your requirements
  3. Save the file after changes :wq
  4. done.




Copyright Superna LLC