Re: [Freeipa-users] Hardening freeipa on the internet
On Fri, Apr 25, 2014 at 10:11:15AM +0200, Martin Kosek wrote: Does anybody know about other precautions that should be made besides standard hardening (SELinux, firewall, log audits)? I've been running IPA on AWS for a while, replicating within regions as well as inter-region and also a regular datacentre. Not using IPA DNS services, but instead using Route53 (managed by puppet). All in all have been pretty impressed with the stability of it. As well as disabling anonymous binds, you should also disallow plain-text connections. This is done in /etc/dirsrv/slapd-PROD-TELNIC-NET/dse.ldif Find nsslapd-minssf, and change this from '0' to '56' With this enabled, all clients will need to communicate via STARTTLS or LDAPS. The only caveat to this is in 3.0, this affects only the regular slapd instance, and not the CA slapd which replicates over plain-text only. This is apparently fixed in 3.2. Cheers, -- Richard Clark rich...@fohnet.co.uk signature.asc Description: Digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Hardening freeipa on the internet
On 04/28/2014 05:16 PM, Simo Sorce wrote: On Mon, 2014-04-28 at 16:11 +0100, Andrew Holway wrote: I realized that you probably want to disable anonymous access to LDAP. It will prevent random strangers to enumerate all users in your database... This sounds like a bug no? anonymous access to LDAP? Historically many Linux and Unix OSs did not authenticate to LDAP to download POSIX info, so we allow by default to access a lot of the tree anonymously. We are in the process of changing how the permissions work in 4.0, and will contextually close down a lot more of the tree letting the admin more easily configure access. So, no it is not technically a bug, but it is something you want to look out for as an admin. Simo. Let me just advertise the core feature of upcoming FreeIPA 4.0 which contains re-design of ACIs and permissions in FreeIPA: http://www.freeipa.org/page/V4/Permissions_V2 With this feature, it will be very easy to control visibility of different parts of FreeIPA DIT - i.e. for example allow POSIX user attributes for anonymous bot allow other attributes to authenticated only, same with groups, HBAC rules, ... Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Hardening freeipa on the internet
On 25.4.2014 11:00, Petr Spacek wrote: On 25.4.2014 10:11, Martin Kosek wrote: On 04/25/2014 09:50 AM, Andrew Holway wrote: Hello, I am having a think about running freeipa on the open seas for more distributed organisations and would like to understand where the weaknesses might be. I would almost certainly only make the ui unavailable however I am unsure about the other services. Would this be a workable? Thanks, Andrew That's actually a very good question. I am currently working on a public FreeIPA demo on Red Hat OpenStack platform which I will make available in upcoming weeks and have few pointers for you: 1) If you have DNS configured, make sure that your FreeIPA DNS does not pose as open DNS resolver to avoid DNS amplification attacks. Following extension to named.conf options should be a good start: allow-transfer {none;}; This configuration applies only to zones defined in named.conf and not to FreeIPA zones defined in LDAP. Make sure that allow-transfer is configured for FreeIPA zones: $ ipa dnszone-mod --allow-transfer=none; example. allow-recursion {none;}; recursion no; version [Secured]; rate-limit { responses-per-second 15; You may need to modify this value to fit your needs. Further reading about DNS amplification attacks: http://www.us-cert.gov/ncas/alerts/TA13-088A Further reading about Response Rate Limiting: http://bkraft.fr/blog/bind_RRL_feature/ https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html https://kb.isc.org/article/AA-00994/0 }; 2) Prevention for NTP amplification attack More info here: https://support.steadfast.net/Knowledgebase/Article/View/106/0/preventing-ntp-amplification-attacks Further reading about NTP amplification attacks: http://www.us-cert.gov/ncas/alerts/TA14-013A Does anybody know about other precautions that should be made besides standard hardening (SELinux, firewall, log audits)? I wonder if Kerberos over UDP could have the same problem... Maybe only if you have some principals with disabled pre-authentication. I don't know. Kerberos is not listed on http://www.us-cert.gov/ncas/alerts/TA14-017A ... I realized that you probably want to disable anonymous access to LDAP. It will prevent random strangers to enumerate all users in your database... -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Hardening freeipa on the internet
I realized that you probably want to disable anonymous access to LDAP. It will prevent random strangers to enumerate all users in your database... This sounds like a bug no? anonymous access to LDAP? -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Hardening freeipa on the internet
On Mon, 2014-04-28 at 16:11 +0100, Andrew Holway wrote: I realized that you probably want to disable anonymous access to LDAP. It will prevent random strangers to enumerate all users in your database... This sounds like a bug no? anonymous access to LDAP? Historically many Linux and Unix OSs did not authenticate to LDAP to download POSIX info, so we allow by default to access a lot of the tree anonymously. We are in the process of changing how the permissions work in 4.0, and will contextually close down a lot more of the tree letting the admin more easily configure access. So, no it is not technically a bug, but it is something you want to look out for as an admin. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Hardening freeipa on the internet
On 04/25/2014 09:50 AM, Andrew Holway wrote: Hello, I am having a think about running freeipa on the open seas for more distributed organisations and would like to understand where the weaknesses might be. I would almost certainly only make the ui unavailable however I am unsure about the other services. Would this be a workable? Thanks, Andrew That's actually a very good question. I am currently working on a public FreeIPA demo on Red Hat OpenStack platform which I will make available in upcoming weeks and have few pointers for you: 1) If you have DNS configured, make sure that your FreeIPA DNS does not pose as open DNS resolver to avoid DNS amplification attacks. Following extension to named.conf options should be a good start: allow-transfer {none;}; allow-recursion {none;}; recursion no; version [Secured]; rate-limit { responses-per-second 15; }; 2) Prevention for NTP amplification attack More info here: https://support.steadfast.net/Knowledgebase/Article/View/106/0/preventing-ntp-amplification-attacks Does anybody know about other precautions that should be made besides standard hardening (SELinux, firewall, log audits)? Thanks, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users