Skip to end of metadata
Go to start of metadata

SmartMachines are very secure. However, you can take steps to ensure SmartMachine security even further. 

In this topic: 
At a Glance

This topic shows you how to secure your SmartMachine or appliance using IPFilter Rules and DenyHosts.

Using DenyHosts

You can install DenyHosts to help prevent SSH server attacks (also known as dictionary-based or brute force attacks). DenyHosts runs as a service that watches for multiple failed login attempts from an IP address and then locks out that IP once it reaches the login threshold.

  1. SSH into your SmartMachine and run this command:
  2. Open the configuration file for edit:
  3. Locate the following section:
  4. Remove the comment from the first SECURE_LOG line and add a comment to the second SECURE_LOG line:

    This will ensure DenyHosts is looking at the right logfile: SECURE_LOG = /var/log/auth.log

  5. Enable DenyHosts:
  6. Verify DenyHosts is running:

If successful, you should see something similar to this:

This will block any host with failed logins that exceed the thresholds set in the configuration file. You can modify the configuration file to adjust the default thresholds for various failed logins (invalid user/valid user/root).

You can run DenyHosts manually, as a daemon or as a cron job.

You can sync from public servers that block known attack IP Addresses.

Using IPFilter Rules

Your new Joyent Smartmachines come with crossbow networking and access to the virtual NIC by default. This means you have full control over the networking stack of your machine. A security best practice is to access back-end services behind load balancers or Zeus/Stingray through a bastion host or VPN server. You can assign IPFilter rules to ensure secure communication between services and your SmartMachine.

You can use IP rules to further secure your system to pass security audits.  For Example: only allow SSH from your static IP or a block of IP's that your ISP uses ( note you will only be able to access your system form the IP addresses you allow )

The following briefly describes how to assign IPFilter rules to your SmartOS Smartmachine or appliance.

More information on using IPF can be found in this Oracle IPF Documentation

Starting and stopping IPfilter

The IPfilter process is configured to run under the Service Management Facility.

IPfilter is disabled by default. You need to use svcadm to enable, disable, start or stop the service. For initial setup of the service:

Use restart to restart the service:

Use this to check the status of the service. Notice the use of grep:

Sample IPfilter rules

IPfilter rules are contained in /etc/ipf/ipf.conf:

  • src.ip.addr specifies the source.
  • dest.ip.addr specifies the destination.

To allow inbound traffic from a specific IP address:

To allow inbound traffic from a specific IP address to a specific port:

To allow inbound traffic icmp only from a specific IP address:

To allow outbound traffic from SmartMachine to anyone:

To block traffic from a specific IP address:

To block traffic from a specific range:

To block traffic from anyone to a specific IP:

To block icmp only from a specific IP:

To block a specific port from anyone:

To setup a default deny policy, block all ports except 443 and 80:

Ranges can apply to any rule, just use x.x.x.x/xx instead of a specific IP.

Testing IPF rules

You can use this command to test active IP packet filtering:

ipfstat -io

More information for IPF can be found in this Oracle documentation

Best Practice Tips

Scan public systems for open ports

Scan all ports on your public facing server with a tool like NMAP or Snoop. This will give you a list of all open ports.

Central logging server

Have all servers send logs to a central server.

Setting up Bastion Host with VPN

You should limit the number of IP addresses that are public and accessible from the Internet.  Setting up a bastion host provides control over entry points to your systems.

Securing your SSH server 

By default the SSH server is very secure.  You can further secure your SSH server by editing the /etc/ssh/sshd_config file to:

  • Only v2 of the SSH protocol
  • Only allow authentication via SSH public keys and disable password

Enable Monitoring and set Alerts

Monitoring is vital to ensuring the security of your SmartMachines. You can setup monitoring and configure security thresholds that alert you when a threshold is reached.

Joyent has partners that offer free monitoring to Joyent customers:

http://wiki.joyent.com/display/gen/Partner+Applications

Backup and test restore your systems

A good backup strategy is vital to running production systems in the Joyent Public Cloud. This ensures you can always revert your systems to a secure state in case of catastrophic failure.

Joyent recommends a combination of the following to backup your systems:

  • Place code and config files under version control (SVN, Perforce, Git, and so on).
  • Archive data to an NFS share---NFS is served off of a separate physical server.
  • Install a back up server and use NFS space as virtual tapes---this is the best solution as you can restore individual files.
The Joyent cloud is not a replacement for backing up your systems.

Enable Role Based Access Control (RBAC)

Role Based Access Control is a powerful but lesser-known feature of Solaris. You can find information on how to setup RBAC in SmartOS here.

Labels:
ipfilter ipfilter Delete
denyhosts denyhosts Delete
ip ip Delete
address address Delete
smf smf Delete
ssh ssh Delete
svcs svcs Delete
svcadm svcadm Delete
smartos smartos Delete
zeus zeus Delete
stingray stingray Delete
bastion bastion Delete
vpn vpn Delete
crossbow crossbow Delete
nic nic Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.