Security Best Practices

The following is a list of some best practices for the Appliance to consider from a security perspective.

  • Install and maintain software updates

    We recommend installing all available updates, and continuing to do so in the future. See here for how to obtain and install the latest software onto the Appliance.

  • Configure security-related System Wide Settings

    Once the Appliance is up to date review the following items, accessible on the SystemSystem SetupSystem Wide Settings page:

    • Cluster Members

      This should be left empty until/unless Thunderstone services on remote machines are configured that need it, such as replication (here) or Dataload (here). See here.

    • Audit Logging

      Consider whether audit logging should be enabled. When enabled, many events such as changes to settings, logins, failed logins etc. will be logged to a file for analysis. Review the log periodically. See here for details.

    • OS Login Banner See here

    • System Alert Email See here

    • Console Password See here

    • Enable HTTPS Server

      Enables HTTPS on the Appliance for secure connections. Set this to Y; see here. See below for information on blocking access to HTTP (non-HTTPS) connections if desired. On Gen4 appliances, this is always on so there is no setting.

    • Require HTTPS for Direct Admin

      Requires that HTTPS be used for direct (non-proxied) administrative actions. Set to Y; see here.

    • Require HTTPS for Proxy Admin

      Requires that HTTPS be used for proxied administrative actions. Set to Y; see here.

    • Admin Access IPs

      Requires that administrative actions (to the .../dowalk interface) on the Appliance come from one of the given IPs or networks. If only certain workstations with fixed IPs (or networks/submasks) should administer the Appliance, then those addresses should be entered. See here.

    • HTTPS/SSL Protocols

      If support for less-secure/legacy SSL protocols is not needed, uncheck all but the highest protocol, currently TLSv1.3. See here.

    • HTTPS/SSL Ciphers

      Set to DEFAULT:!LOW:!EXPORT:!RC4:!SSLv3:!3DES or any more secure setting based on your site requirements. See here.

    • Enable SNMP Service

      SNMP should be disabled (N), as SNMP is an insecure protocol and can reveal configuration information.

  • Configure security-related Webmin settings

    Some security items are configured using Webmin, which may be accessed from the admin web interface using SystemSystem SetupWebmin System Management, or directly by accessing https://ApplianceHost:999/. Login as admin using the same password as the admin account of the main Appliance web interface. Then consider the following actions:

    • Disable unused ethernet ports

      Any unused ethernet ports should be disabled. There are two ways to disable an ethernet port:

      • On the console: Set the ethernet port to not use DHCP and leave the IP address empty. On Gen4 appliances you can select Disabled for the unused port(s).

      • Using Webmin: You may set the IP address to No address configured or delete the port configuration altogether. And/or set Activate at boot? to No.

    • Use the firewall

      The iptables firewall on the Appliance is configured using the Webmin interface; select the Linux Firewall link (on Gen4 appliances select the FirewallD link. You may wish to configure the firewall here according to your local security policy. For example, if you have set Enable HTTPS Server (above) to Y, but further wish to have all access - admin and search - only through HTTPS, then access to the HTTP server on port 80 can be blocked.

      To do this on Gen4 appliances select the Service http (80) rule then click Delete Selected Rules.

      To do this on prior to Gen4 appliances, select Linux Firewall. The first time this is chosen, a default policy will be asked for; select Allow all traffic and the ethN port you configured the Appliance's IP on (typically eth0). Also check Enable firewall at boot time?. Then hit Setup Firewall.

      In the Incoming packets (INPUT) section click Add Rule. Then set Rule comment to "Block http port 80" or such, set Action to take to Reject, set Network protocol to Equals, set Destination TCP or UDP port to Equals, and enter 80 for Port(s). Then click Create at the bottom of the page.

      Now click Apply Configuration at the bottom, and make sure you're still able to reach the Appliance. If you've accidentally locked yourself out go to the Appliance console (physical or VM) and select F drop Firewall/NAT (Allow all network access) to delete the firewall configuration and make it wide open again.

  • Enable and use ACLs

    Distinct administrative users should have distinct accounts, and accounts should not be shared. Consider enabling access control (here), and giving each user only the permission(s) needed to accomplish their tasks. Set up a group for each role - e.g. walk maintainers vs. look-and-feel editors vs. system admins - and assign users to those groups as needed, per their roles. Creating roles as groups instead of users makes audit logging (here) more useful and user management easier.

  • Configure security-related profile settings

    For every profile (both existing, and new ones created in the future), consider the following settings:

    Under Search Settings, check the following:

    • Use Results Authorization

      If appropriate for the environment, consider using Results Authorization (here) to limit search results to those a search user is authorized for. Note that this can have a search performance impact.

    • Enable Phishing Protection

      Make sure Phishing Protection (here) is enabled, so users cannot be redirected to arbitrary URLs.

    • Enable Prevent Find Similar Fetch

      Make sure Prevent Find Similar Fetch (here) is enabled, to prevent the appliance from fetching arbitrary URLs.

    Under All Walk Settings, check the following:

    • Keep resource limits low

      Resource limit settings such as Max Page Size, Max URL Size, Page Timeout, Maximum Process Size etc. should be left at their default values if possible, or only increased as much as needed. Setting them to very large or unlimited values can potentially allow a walk to consume inordinate amounts of resources, potentially slowing searches or bringing the machine down.


Copyright © Thunderstone Software     Last updated: Oct 10 2023
Copyright © 2024 Thunderstone Software LLC. All rights reserved.