rConfig - Security Hardening Guide
Security Hardening Documentation
Section titled “Security Hardening Documentation”Introduction
Section titled “Introduction”Security hardening is a critical aspect of maintaining the integrity, confidentiality, and availability of any system, especially one as integral as rConfig. In today’s environment, cyber threats are evolving rapidly, and even a minor vulnerability can lead to significant repercussions. Hardening your systems helps mitigate risks, protect sensitive data, and ensure compliance with industry standards.
rConfig has a strong history of prioritizing security. Since its inception, rConfig has only had three Common Vulnerabilities and Exposures (CVEs), and all of these occurred in the older V3 version. This track record demonstrates rConfig’s commitment to maintaining a secure and reliable platform.
This document serves as a comprehensive end-to-end guide for securing rConfig. While much of the content includes generic best practices for securing systems and applications, it has been tailored to address the specific needs and features of rConfig. Following this guide will help ensure your rConfig deployment is robust against evolving threats.
Conduct a Security Assessment
Section titled “Conduct a Security Assessment”Before you start hardening, it’s essential to know where your vulnerabilities lie. A security assessment will help you identify gaps in your security policies, practices, and tools.
- Perform Vulnerability Scanning: Use tools like Nessus, OpenVAS, or Qualys to scan your systems and infrastructure for vulnerabilities.
- Penetration Testing: Conduct periodic penetration tests to simulate real-world attacks and assess your network’s resistance.
- Security Audits: Have regular security audits done by an external firm to ensure compliance with standards like NIST, ISO 27001, and SOC 2.
Implement Strong Authentication and Access Controls
Section titled “Implement Strong Authentication and Access Controls”rConfig offers robust user authentication capabilities, including local user authentication, Active Directory (AD) integration, and Single Sign-On (SSO) with enterprise-grade services. These features provide flexibility and ensure secure access for various organizational needs. For more details, refer to the following resources:
Additionally, rConfig employs a strong Role-Based Access Control (RBAC) system, enabling administrators to enforce the Principle of Least Privilege (PoLP) effectively. Adhering to these principles ensures users only have access to the resources necessary for their roles. For implementation details, see the RBAC Guide.
Authentication and authorization are the first line of defense. Here’s how you can harden access:
- Use Multi-Factor Authentication (MFA): Enable MFA for all employees, especially for privileged accounts (admin, root, etc.) and critical applications. This could be through SMS-based or app-based methods like Google Authenticator or hardware tokens (e.g., YubiKeys).
- Principle of Least Privilege (PoLP): Ensure users and administrators only have access to the systems and data they absolutely need to perform their jobs.
- Role-Based Access Control (RBAC): Implement RBAC in your systems, especially in applications like databases, network services, and cloud infrastructure.
- Disable Default Accounts: Remove or disable any default administrative or service accounts in your systems and applications. These can be a target for attackers.
Network Hardening
Section titled “Network Hardening”Your network is often the first line of defense, so securing it is paramount. For rConfig, the main connection ports to consider are as follows:
-
Outbound Ports:
- 80 (HTTP)
- 443 (HTTPS)
- SSH and Telnet as required for device communication
- rConfig server typically only needs outbound internet access to
rconfig.com
(static IP) for version checks. While not required, this is recommended and should be factored into your firewall strategy.
-
Inbound Ports:
- 80 (HTTP)
- 443 (HTTPS)
- Optionally 21 (FTP) and 69/UDP (TFTP) for specific use cases
-
Firewalls & Network Segmentation: Use firewalls to limit inbound and outbound traffic to necessary services. Consider network segmentation (e.g., separating internal, external, and DMZ networks) to reduce the risk of lateral movement in the event of a breach.
-
Intrusion Detection & Prevention Systems (IDPS): Use tools like Snort, Suricata, or OSSEC to detect and block malicious network activity in real-time.
-
VPNs and Encryption: Ensure that all remote access is encrypted (using VPNs, SSL/TLS, or SSH for secure communications) and ensure all internal communications are encrypted.
Server & Endpoint Hardening
Section titled “Server & Endpoint Hardening”For security and system optimization, the ideal setup is for rConfig installations to run on a dedicated server or appliance, not shared with other services. This approach minimizes potential attack vectors and ensures optimal performance. Both physical and virtual servers, as well as user devices, need to be hardened against common attack vectors:
Operating System Security
Section titled “Operating System Security”- Minimize Attack Surface: Remove unnecessary software, services, and packages from servers and endpoints to reduce the potential attack surface.
- Patch Management: Ensure that operating systems, applications, and third-party software are up to date with security patches. Use tools like OSSEC, WSUS, or yum-cron for automatic updates.
- Use SELinux/AppArmor: If you are using Linux, ensure SELinux (Security-Enhanced Linux) or AppArmor is configured to enforce access controls.
- Disable Unnecessary Services: Disable unnecessary ports and services (e.g., FTP, Telnet) and only leave those that are required.
- Harden SSH: Configure SSH to disable root login, use key-based authentication, and limit login attempts to prevent brute-force attacks.
Endpoint Protection
Section titled “Endpoint Protection”- Install and maintain anti-malware/anti-virus software on all endpoints (laptops, desktops, and servers).
- Implement device encryption to protect data in case a device is lost or stolen.
- Enforce mobile device management (MDM) policies on employees’ smartphones and tablets.
Sample SELinux Policy
Section titled “Sample SELinux Policy”Note: By default, rConfig disables SELinux as most customers, in our experience, do not use it. However, for customers who do utilize SELinux, the sample policy below can be used to allow and enable rConfig.
-
Set SELinux to Enforcing Mode: This is the most secure mode and ensures that SELinux enforces its policies.
- Use the following command:
setenforce 1
- To make this change persistent across reboots, update the configuration file
/etc/selinux/config
and setSELINUX=enforcing
.
- Use the following command:
-
Define SELinux Rules: Create rules that restrict access to only the required files, processes, and ports.
- Allow Network Access for HTTPD: To enable HTTPD (Apache) to connect to external networks, execute:
setsebool -P httpd_can_network_connect 1
. - Enable Unified Context for HTTPD: To modify and create templates with HTTPD, enable the unified context:
setsebool -P httpd_unified 1
.
- Allow Network Access for HTTPD: To enable HTTPD (Apache) to connect to external networks, execute:
-
Monitor SELinux Logs: Regularly review SELinux logs located at
/var/log/audit/audit.log
to identify and address unauthorized access attempts or policy violations. -
Policy Testing and Adjustments: Use tools like
audit2allow
to fine-tune SELinux policies while minimizing disruptions. For example:Terminal window ausearch -m avc -ts today | audit2allow -M my_policysemodule -i my_policy.pp
Credential Hardening in UI and Other Locations
Section titled “Credential Hardening in UI and Other Locations”- Secure Password Storage: Ensure passwords are hashed using a secure algorithm (e.g., bcrypt, Argon2).
- Password Complexity Enforcement: Enforce policies that require strong passwords, including length and character variety.
- UI Security Measures:
- Use secure input fields for password entry, preventing auto-completion or copying.
- Implement reCAPTCHA or similar tools to protect against brute-force attacks in login forms.
- Secure Key Management: Use secure key vaults (e.g., AWS Secrets Manager, HashiCorp Vault) for API keys and credentials.
- Session Management: Ensure session cookies are secure, with HTTP-only and secure flags enabled.
Data Security and Encryption
Section titled “Data Security and Encryption”Securing sensitive data is critical, both at rest and in transit:
- Encrypt Data in Transit: Use TLS/SSL to encrypt sensitive data transmitted over the network. Ensure that all services, including websites, APIs, and email, use HTTPS and that certificates are up-to-date and signed by a trusted certificate authority. For more details, refer to SSL Setup.
- Encrypt Data at Rest: Use full disk encryption (e.g., LUKS for Linux, BitLocker for Windows) for sensitive data stored on servers and workstations. For implementation details, refer to Config Encryption.
- Database Hardening: Use encryption for sensitive fields in databases and employ strong authentication mechanisms for database access. Note that rConfig encrypts credentials and other sensitive data by default, with the encryption key stored in the
.env
file. This file should be securely backed up at all times. Ensure regular database backups are encrypted. - Backup Encryption: Ensure that backup files (both on-site and off-site) are encrypted, so that data is protected in case of a breach.
Additional Sections for Security Hardening Guide
Section titled “Additional Sections for Security Hardening Guide”Database Platform Security
Section titled “Database Platform Security”Securing the database platform that hosts rConfig data requires attention to both the database server itself and the surrounding infrastructure:
Database Server Hardening
Section titled “Database Server Hardening”- Database Server OS Hardening: Apply the same operating system hardening principles to database servers as outlined in the Server & Endpoint Hardening section
- Database Service Configuration:
- Disable unnecessary database features and modules (e.g., xp_cmdshell in SQL Server, file_priv in MySQL)
- Configure database services to run under dedicated service accounts with minimal privileges
- Remove or disable default database accounts and sample databases
- Set appropriate connection timeout values to prevent resource exhaustion
Database Network Security
Section titled “Database Network Security”- Network Isolation: Place database servers in a separate network segment (database tier) from web servers
- Port Security:
- Change default database ports where possible (MySQL 3306, PostgreSQL 5432)
- Use firewalls to restrict database port access to only authorized application servers
- Implement database connection encryption (SSL/TLS) for all connections
- Connection Limits: Configure maximum concurrent connections to prevent denial-of-service attacks
Database Access Controls
Section titled “Database Access Controls”- Privilege Separation: Create separate database users for different application functions with minimal required privileges
- Connection Security: Use connection strings that specify SSL requirements and certificate validation
- Audit Logging: Enable database audit logging for:
- Failed authentication attempts
- Privilege escalation activities
- Data definition language (DDL) changes
- Bulk data operations
Database Backup Security
Section titled “Database Backup Security”- Backup Encryption: Ensure all database backups are encrypted using strong encryption algorithms
- Backup Storage: Store encrypted backups in secure locations separate from the production database server
- Backup Testing: Regularly test backup restoration procedures to ensure data integrity and recovery capabilities
- Backup Access Controls: Limit access to backup files and implement proper authentication for backup systems
Enhanced Monitoring and Alerting
Section titled “Enhanced Monitoring and Alerting”Comprehensive monitoring and alerting are essential for detecting security incidents and maintaining system health in enterprise environments:
Infrastructure Monitoring
Section titled “Infrastructure Monitoring”-
System Resource Monitoring:
- Monitor CPU usage patterns for unusual spikes that could indicate cryptomining or other malicious activity
- Track memory consumption and alert on rapid memory growth
- Monitor disk space utilization and I/O patterns
- Set up alerts for system service failures or unexpected restarts
-
Network Traffic Analysis:
- Monitor unusual outbound connections from rConfig servers
- Track data transfer volumes and patterns to detect potential data exfiltration
- Alert on connections to known malicious IP addresses or domains
- Monitor for lateral movement attempts within your network
-
File System Monitoring:
- Implement file integrity monitoring (FIM) for critical system files and directories
- Monitor the rConfig application directory for unauthorized changes
- Track changes to configuration files, especially
.env
files - Alert on creation of unusual files or directories
Security Event Monitoring
Section titled “Security Event Monitoring”-
Authentication Monitoring:
- Log and alert on failed authentication attempts, especially brute force patterns
- Monitor for unusual login times or locations
- Track privilege escalation events
- Alert on multiple concurrent sessions for the same user account
-
Application Monitoring:
- Monitor web server access logs for suspicious patterns or attack signatures
- Track database query patterns for potential SQL injection attempts
- Alert on unusual API usage patterns or rate limit violations
- Monitor for unauthorized access attempts to sensitive endpoints
Log Management and Correlation
Section titled “Log Management and Correlation”- Centralized Logging: Send all rConfig system logs to your centralized log management system (SIEM)
- Log Retention: Maintain appropriate log retention periods per your compliance requirements
- Event Correlation: Implement rules to correlate events across multiple systems and identify attack patterns
- Automated Response: Configure automated responses for critical security events (e.g., account lockouts, service isolation)
Business Continuity (Vector and Enterprise Customers)
Section titled “Business Continuity (Vector and Enterprise Customers)”Enterprise-grade business continuity planning ensures minimal disruption to network management operations during both planned maintenance and unexpected incidents:
High Availability Architecture
Section titled “High Availability Architecture”-
Load Balancing and Redundancy:
- Deploy multiple rConfig application servers behind a load balancer for active-active configurations
- Implement database clustering or master-slave replication for database high availability
- Use shared storage solutions or database replication to ensure data consistency across instances
- Configure automatic failover mechanisms with health checks
-
Geographic Distribution:
- Consider multi-site deployments for geographically distributed organizations
- Implement database replication across sites with appropriate lag monitoring
- Ensure network connectivity and security between sites
Disaster Recovery Planning
Section titled “Disaster Recovery Planning”-
Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO):
- Define acceptable downtime limits for network management operations
- Establish maximum acceptable data loss timeframes
- Document recovery procedures with step-by-step instructions
- Regularly test disaster recovery procedures and update documentation
-
Backup and Restoration:
- Implement automated, encrypted backups of both application data and system configurations
- Maintain backups in multiple locations, including off-site storage
- Test backup integrity and restoration procedures monthly
- Document bare-metal recovery procedures for complete system reconstruction
Operational Continuity
Section titled “Operational Continuity”-
Maintenance Windows:
- Establish change management procedures for system updates and maintenance
- Plan maintenance windows during low-impact periods
- Implement rolling update procedures to maintain service availability
- Maintain emergency rollback procedures
-
Incident Response:
- Define escalation procedures for system outages or security incidents
- Maintain current contact information for all stakeholders
- Establish communication procedures for notifying users of system status
- Document post-incident review processes for continuous improvement
Monitoring and Testing
Section titled “Monitoring and Testing”-
Availability Monitoring:
- Implement comprehensive uptime monitoring with external monitoring services
- Set up automated health checks for all system components
- Configure alerting thresholds that align with your RTO requirements
- Monitor key performance indicators (KPIs) for system performance
-
Regular Testing:
- Conduct quarterly disaster recovery tests with full system restoration
- Perform annual business continuity exercises involving all stakeholders
- Test failover procedures under controlled conditions
- Document and address any issues identified during testing
Documentation and Training
Section titled “Documentation and Training”-
Runbook Maintenance:
- Maintain detailed operational runbooks for all system administration tasks
- Document all custom configurations and integrations
- Keep emergency contact lists and escalation procedures current
- Ensure documentation is accessible during outage scenarios
-
Staff Training:
- Provide regular training on disaster recovery procedures
- Cross-train multiple staff members on critical system operations
- Conduct tabletop exercises for incident response scenarios
- Maintain current certifications for key technical staff
Backups
Section titled “Backups”To protect against ransomware and other threats, regular system backups should be taken. While rConfig’s backup feature offers basic convenience, it may be ineffective if disks or other system components become compromised. Customers must implement comprehensive backup systems and processes aligned with corporate policies to protect themselves and ensure business continuity. These backups should be stored securely, with encryption and regular testing of restore procedures, to guarantee data recovery in the event of an incident.