Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
cloudappliance/bestpractices [2019_10_29 00:17] – [1 Introduction] steven | cloudappliance:bestpractices [2023_06_22 05:41] – external edit 127.0.0.1 | ||
---|---|---|---|
Line 4: | Line 4: | ||
====== File Fabric Deployment Security Best Practices ====== | ====== File Fabric Deployment Security Best Practices ====== | ||
+ | == last updated on: July 16, 2021 == | ||
+ | ===== 1. Introduction ===== | ||
- | ===== 1 Introduction ===== | ||
- | + | The Storage Made Easy File Fabric is provided as an interoperable OVF file and can work with VMWARE, XEN, KVM, and Hyper-V hypervisors. | |
- | The Storage Made Easy File Fabric is provided as an interoperable OVF file and can work with VMWARE, XEN, KVM, and Hyper-V hypervisors. It can also be installed on bare metal. | + | |
The File Fabric uses the Apache Web Server to serve pages and the underlying Linux Operating System is CentOS. CentOS is hardened using NSA hardening guidelines. You can review these at: [[http:// | The File Fabric uses the Apache Web Server to serve pages and the underlying Linux Operating System is CentOS. CentOS is hardened using NSA hardening guidelines. You can review these at: [[http:// | ||
- | The File Fabric is also extensively tested using commercial penetration testing software prior to each release. | + | The File Fabric is also extensively tested using commercial penetration testing software prior to each major and minor release. |
The File Fabric can be extensively configured as required as the infrastructure software is industry standard and well understood . | The File Fabric can be extensively configured as required as the infrastructure software is industry standard and well understood . | ||
We provide a separate white paper for High Availability guidelines. This white paper suggests some best practice but ultimately the deployment best practices are the responsibility of the deployer and should be inline with their existing deployment practices for such systems. | We provide a separate white paper for High Availability guidelines. This white paper suggests some best practice but ultimately the deployment best practices are the responsibility of the deployer and should be inline with their existing deployment practices for such systems. | ||
- | ===== 2 Fail2Ban ===== | ||
+ | ===== 2. Fail2Ban - Intrusion Detection Protection ===== | ||
- | The SME Appliance ships with a customized version of Fail2Ban (http: | ||
- | This is constantly working and scanning and as such it is an extra protection for the appliance. Fail2Ban can also be setup to help prevent DOS attacks. To do this simply edit / | + | |
+ | The File Fabric is setup for integration with a customized version of Fail2Ban (http: | ||
+ | |||
+ | Fail2Ban is an intrusion prevention software framework that can help protect the File Fabric from brute-force attacks. | ||
+ | |||
+ | Fail2Ban scans logs file for malicious patterns ie. DoS attacks, too many password failures, SSH logins, seeking exploits, trying to scan for download links etc. If the software detects such malicious patterns it automatically updates the File Fabric firewall rules to reject IP addresses for a specified amount of time (10 minutes). | ||
+ | |||
+ | This is constantly working and scanning and as such it is an extra security | ||
< | < | ||
Line 54: | Line 60: | ||
</ | </ | ||
- | This is an example of how Fail2Ban can be used to help prevent attacks but in an of itself it is not a solution. It is just one of the measures | + | This is an example of how Fail2Ban can be used to help prevent attacks but in an of itself it is not a solution. It is just one security measure |
- | ===== 3 Internet Security Protection services ===== | + | ===== 3. Internet Security Protection services ===== |
- | There are many commercial services that can be used to protect an infrastructure from attacks. Many ISPâs | + | There are many commercial services that can be used to protect an infrastructure from attacks. Many ISP' |
Examples are: | Examples are: | ||
+ | |||
+ | https:// | ||
http:// | http:// | ||
Line 74: | Line 82: | ||
- | ===== 4 Proxy or Load Balancer ===== | + | ===== 4. Proxy or Load Balancer ===== |
Line 91: | Line 99: | ||
If you are running your own Load Balancer based on HAProxy, look at the sysctl below (edit / | If you are running your own Load Balancer based on HAProxy, look at the sysctl below (edit / | ||
- | Note: If the attack is very large and saturates internet bandwidth, the only solution is to ask the internet access provider to null route the attackers | + | Note: If the attack is very large and saturates internet bandwidth, the only solution is to ask the internet access provider to null route the attackers |
For Slow DOS (SlowLoris) attacks clients will slowly send requests to a server, header by header, or character by character, waiting a long time between each of them and the server have to wait until the end of the request to process, and send back the response. The purpose of the attack is to prevent regular use of the service as the attacker is using all the available resources with these very slow requests. In order to protect against this kind of attack setup the HAProxy option timeout http-request. It can set to 5s, which should be long enough. This simply tells HAProxy to give a 5 second time limit to a client to send its whole HTTP request, otherwise HAProxy will shut the connection with an error. | For Slow DOS (SlowLoris) attacks clients will slowly send requests to a server, header by header, or character by character, waiting a long time between each of them and the server have to wait until the end of the request to process, and send back the response. The purpose of the attack is to prevent regular use of the service as the attacker is using all the available resources with these very slow requests. In order to protect against this kind of attack setup the HAProxy option timeout http-request. It can set to 5s, which should be long enough. This simply tells HAProxy to give a 5 second time limit to a client to send its whole HTTP request, otherwise HAProxy will shut the connection with an error. | ||
- | HAProxy can be quite a comprehensive solution as a defense for attacks and is in use in many companies and ISPs. | + | HAProxy can be quite a comprehensive solution as a defense for attacks and is in use in many companies and ISP's. |
+ | |||
+ | A good place for further information is: [[https:// | ||
- | A good place for further information is: | + | ===== 5. Hostname ===== |
- | [[http://blog.exceliance.fr/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/%0A|http: | + | The mitigate |
+ | To force set the hostname, apply the following configuration: | ||
+ | ``` | ||
+ | ffconfig set hostname ' | ||
+ | ``` | ||
+ | ===== 6. Brute Force Account Protection ===== | ||
- | ===== 5 Conclusion ===== | + | Two levels of brute force protection are available within the File Fabric: |
+ | * General Brute Force Protection - automatically blocking any person successively failing to login to any account over a configurable number of times (Site Functionality) | ||
+ | * Account Specific Lock-Out - automatically suspending user accounts where a successive number of failed login attempts are made (Org Policies) | ||
+ | ===== 7. Conclusion ===== | ||
- | This section provides details on options that can be considered for protection against various internet attacks when deploying the SME File Fabric.\\ \\ Many companies and ISP / MSPs may already have their own best practices and guidelines for such deployments and what is presented in this white paper can be considered and addendum to existing best practices for production deployment.\\ \\ | + | This section provides details on options that can be considered for protection against various internet attacks when deploying the Enterprise |
+ | Many Companies and ISP / MSP's may already have their own best practices and guidelines for such deployments and what is presented in this white paper can be considered and addendum to existing best practices for production deployment. | ||
+ | For a general security overview of the File Fabric software please visit the [[/ | ||