Re: [Freeipa-users] Hardening freeipa on the internet

Mon, 28 Apr 2014 06:11:36 -0700 

On 25.4.2014 11:00, Petr Spacek wrote:

On 25.4.2014 10:11, Martin Kosek wrote:

On 04/25/2014 09:50 AM, Andrew Holway wrote:

Hello,

I am having a think about running freeipa on the open seas for more
distributed organisations and would like to understand where the
weaknesses might be. I would almost certainly only make the ui
unavailable however I am unsure about the other services.

Would this be a workable?

Thanks,

Andrew


That's actually a very good question. I am currently working on a public
FreeIPA demo on Red Hat OpenStack platform which I will make available in
upcoming weeks and have few pointers for you:

1) If you have DNS configured, make sure that your FreeIPA DNS does not pose as
open DNS resolver to avoid DNS amplification attacks.

Following extension to named.conf options should be a good start:

         allow-transfer {"none";};

This configuration applies only to zones defined in named.conf and not to
FreeIPA zones defined in LDAP.

Make sure that allow-transfer is configured for FreeIPA zones:
$ ipa dnszone-mod --allow-transfer="none;" example.


         allow-recursion {"none";};
         recursion no;
         version "[Secured]";
         rate-limit {
             responses-per-second 15;

You may need to modify this value to fit your needs.

Further reading about DNS amplification attacks:
http://www.us-cert.gov/ncas/alerts/TA13-088A

Further reading about Response Rate Limiting:
http://bkraft.fr/blog/bind_RRL_feature/

https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html


https://kb.isc.org/article/AA-00994/0


         };

2) Prevention for NTP amplification attack

More info here:
https://support.steadfast.net/Knowledgebase/Article/View/106/0/preventing-ntp-amplification-attacks



Further reading about NTP amplification attacks:
http://www.us-cert.gov/ncas/alerts/TA14-013A


Does anybody know about other precautions that should be made besides standard
hardening (SELinux, firewall, log audits)?


I wonder if Kerberos over UDP could have the same problem... Maybe only if you
have some principals with disabled pre-authentication. I don't know. Kerberos
is not listed on
http://www.us-cert.gov/ncas/alerts/TA14-017A ...
I realized that you probably want to disable anonymous access to LDAP. It will prevent random strangers to enumerate all users in your database... 

--
Petr^2 Spacek

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to