Hello,
My name is Ken Young and I am working with the StarlingX Open Source community to set up a mirror of all our 3rd Party dependency code and CentOS. We currently have a prototype running but we would like to harden the security measures we have in place for the server. For example, we would like to move this server behind an external firewall.
Would you be willing to share what security hardening you have completed for your mirrors? Any information would be greatly appreciated.
Thank you in advance.
Regards, Ken Y
We use PfSense running HA Proxy (which is a plugin available naively to PfSense), which acts as our TLS termination for the public certificates (internal servers have internal certs) as well as our load balancers. TLS certs are managed with the ACME plugin for Let's Encrypt, and the Intel processor is using AES-NI to speed up the TLS.
overall for security just using a static service for serving the content solves most attack vectors, as there aren't any CGI or related scriptlets running server side. Cut off public SSH (if required some advocate alternate ports, but this isn't so much as intrusion prevention as to prevent lock outs caused by spam bots). SSH should be using key based authentication.
For ciphers and modes for TLS / SSH etc, I recommend checking out cipherli.st and the Mozilla TLS guidelines. Cipherli.st has an up to date set of configs for most software TLS/SSH settings, and the Mozilla guide has better explanations of how these modes work and what they do.
For PfSense I allow our management pages externally since they also run our VPN (users can download a client), but if you don't need that I would cut off external access to PfSense.
I setup a rule to allow ports 80,443,873 to HAProxy (via PfSense, set to allow to a single host which is the IP HAProxy is listening on). For HAProxy it does a simple TCP socket check for 873 since Rsync isn't a supported mode in HAProxy, so if the socket is open it just balances between the servers.
Cheers, -Jim
On Fri, Oct 26, 2018 at 1:12 PM Ken Young kenyis@rogers.com wrote:
Hello,
My name is Ken Young and I am working with the StarlingX Open Source community to set up a mirror of all our 3rd Party dependency code and CentOS. We currently have a prototype running but we would like to harden the security measures we have in place for the server. For example, we would like to move this server behind an external firewall.
Would you be willing to share what security hardening you have completed for your mirrors? Any information would be greatly appreciated.
Thank you in advance.
Regards, Ken Y
CentOS-mirror mailing list CentOS-mirror@centos.org https://lists.centos.org/mailman/listinfo/centos-mirror
-
Ken Young -
Tails Hon1nbo