Security Best Practices

The following is a list of some best practices for the Appliance to consider from a security perspective.

• Install and maintain software updates

  We recommend installing all available updates, and continuing to do so in the future. See here for how to obtain and install the latest software onto the Appliance.

• Configure security-related System Wide Settings

  Once the Appliance is up to date review the following items, accessible on the System → System Setup → System Wide Settings page:

  • Cluster Members

    This should be left empty until/unless Thunderstone services on remote machines are configured that need it, such as replication (here) or Dataload (here). See here.

  • Audit Logging

    Consider whether audit logging should be enabled. When enabled, many events such as changes to settings, logins, failed logins etc. will be logged to a file for analysis. Review the log periodically. See here for details.

  • OS Login Banner See here

  • System Alert Email See here

  • Console Password See here

  • Enable HTTPS Server

    Enables HTTPS on the Appliance for secure connections. Set this to Y; see here. See below for information on blocking access to HTTP (non-HTTPS) connections if desired. On Gen4 appliances, this is always on so there is no setting.

  • Require HTTPS for Direct Admin

    Requires that HTTPS be used for direct (non-proxied) administrative actions. Set to Y; see here.

  • Require HTTPS for Proxy Admin

    Requires that HTTPS be used for proxied administrative actions. Set to Y; see here.

  • Admin Access IPs

    Requires that administrative actions (to the .../dowalk interface) on the Appliance come from one of the given IPs or networks. If only certain workstations with fixed IPs (or networks/submasks) should administer the Appliance, then those addresses should be entered. See here.

  • HTTPS/SSL Protocols

    If support for less-secure/legacy SSL protocols is not needed, uncheck all but the highest protocol, currently TLSv1.3. See here.

  • HTTPS/SSL Ciphers

    Set to DEFAULT:!LOW:!EXPORT:!RC4:!SSLv3:!3DES or any more secure setting based on your site requirements. See here.

  • Enable SNMP Service

    SNMP should be disabled (N), as SNMP is an insecure protocol and can reveal configuration information.

• Configure security-related Webmin settings

  Some security items are configured using Webmin, which may be accessed from the admin web interface using System → System Setup → Webmin System Management, or directly by accessing https://ApplianceHost:999/. Login as admin using the same password as the admin account of the main Appliance web interface. Then consider the following actions:

  • Disable unused ethernet ports

    Any unused ethernet ports should be disabled. There are two ways to disable an ethernet port:

    • On the console: Set the ethernet port to not use DHCP and leave the IP address empty. On Gen4 appliances you can select Disabled for the unused port(s).

    • Using Webmin: You may set the IP address to No address configured or delete the port configuration altogether. And/or set Activate at boot? to No.

  • Use the firewall

    The iptables firewall on the Appliance is configured using the Webmin interface; select the Linux Firewall link (on Gen4 appliances select the FirewallD link. You may wish to configure the firewall here according to your local security policy. For example, if you have set Enable HTTPS Server (above) to Y, but further wish to have all access - admin and search - only through HTTPS, then access to the HTTP server on port 80 can be blocked.

    To do this on Gen4 appliances select the Service http (80) rule then click Delete Selected Rules.

    To do this on prior to Gen4 appliances, select Linux Firewall. The first time this is chosen, a default policy will be asked for; select Allow all traffic and the ethN port you configured the Appliance's IP on (typically eth0). Also check Enable firewall at boot time?. Then hit Setup Firewall.

    In the Incoming packets (INPUT) section click Add Rule. Then set Rule comment to "Block http port 80" or such, set Action to take to Reject, set Network protocol to Equals, set Destination TCP or UDP port to Equals, and enter 80 for Port(s). Then click Create at the bottom of the page.

    Now click Apply Configuration at the bottom, and make sure you're still able to reach the Appliance. If you've accidentally locked yourself out go to the Appliance console (physical or VM) and select F drop Firewall/NAT (Allow all network access) to delete the firewall configuration and make it wide open again.

• Enable and use ACLs

  Distinct administrative users should have distinct accounts, and accounts should not be shared. Consider enabling access control (here), and giving each user only the permission(s) needed to accomplish their tasks. Set up a group for each role - e.g. walk maintainers vs. look-and-feel editors vs. system admins - and assign users to those groups as needed, per their roles. Creating roles as groups instead of users makes audit logging (here) more useful and user management easier.

• Configure security-related profile settings

  For every profile (both existing, and new ones created in the future), consider the following settings:

  Under Search Settings, check the following:

  • Use Results Authorization

    If appropriate for the environment, consider using Results Authorization (here) to limit search results to those a search user is authorized for. Note that this can have a search performance impact.

  • Enable Phishing Protection

    Make sure Phishing Protection (here) is enabled, so users cannot be redirected to arbitrary URLs.

  • Enable Prevent Find Similar Fetch

    Make sure Prevent Find Similar Fetch (here) is enabled, to prevent the appliance from fetching arbitrary URLs.

  Under All Walk Settings, check the following:

  • Keep resource limits low

    Resource limit settings such as Max Page Size, Max URL Size, Page Timeout, Maximum Process Size etc. should be left at their default values if possible, or only increased as much as needed. Setting them to very large or unlimited values can potentially allow a walk to consume inordinate amounts of resources, potentially slowing searches or bringing the machine down.