search

neontribe / Linked_Development

Linked Development
1 stars 1 forks source link

Secure server #11

Closed harryharrold closed 11 years ago

harryharrold commented 11 years ago

Scurity configuration should follow good practices, ensuring Virtuoso Conductor is secured by a strong password, the default sparql endpoint allows read-only access, and other ssh and apache security is checked.

ghost commented 11 years ago

SE Linux install is pending my hostname and domain name config script. Also the hardening and firewall will be top priorities.

SSH has been hardened (no root logins) though we have the option of enforcing keys for remote access (to discuss with customer) and a user account called linked-data (name to be changed, was configured before project rename) that is available for SSH access. Neil has configured the sparql endpoint and I need to confirm this is setup to be read only.

A second pass on the security settings will be done when more of the basic server configuration is finished.

harryharrold commented 11 years ago

enforcing keys regarded as good, please do that...

ghost commented 11 years ago

The issues around using keys by default is that if we bundle the keys with the patch then anyone grabbing the patch from turnkey will have your keys.

If we prompt for the key a user has to type in a long SSH key and the possibilities of typo's are high (and there will be no remote access if it's not typed in correctly).

One of the reasons we can't copy / paste the key to the machine is whether it's virtual or real we won't be able to paste into an input window until SSH is up as a service.

My suggestion would be to bring the appliance up with non root ssh access (password entered during installation), and then provide either a script or simple instructions to flip the SSH access over to using keys.

ghost commented 11 years ago

Raised an issue with the turnkey developers as adding selinux-basics & selinux-policy-default packages to the install list breaks tklpatch when building against the turnkey-core-13.0rc-wheezy-i386.iso although it works as intended on turnkey-core-12.0rc-squeeze-i386.iso.

ghost commented 11 years ago

SELinux now installs as part of the patch. Build process broken for wheezy (raised as #24 ) however turnkey developers informed us this would be unlikely to change until it's officially released (couple of months).

todo: selinux-activate (pre reboot) reboot check-selinux-installation (post reboot) sed -i "s/FSCKFIX=no/FSCKFIX=yes/g" /etc/default/rcS (post reboot?)

ghost commented 11 years ago

selinux-activate and /etc/default/rcS now done. basic selinux integration now complete though some errors on check-selinux-installation require further research:

$ check-selinux-installation /usr/sbin/check-selinux-installation:19: DeprecationWarning: os.popen3 is deprecated. Use the subprocess module. @staticmethod /usr/sbin/check-selinux-installation:23: DeprecationWarning: os.popen2 is deprecated. Use the subprocess module. def fix(): /etc/pam.d/login is not SELinux enabled Postfix init script is syncing the chroots. Postfix has chrooted service in master.cf