rConfig - Security Hardening Guide

5 mins V8 Pro

Security Hardening Documentation

WARNING: You are responsible

This document serves as a guide and is robust in its recommendations. However, like all guides, it serves as a framework for securing rConfig. Specific implementation details and adherence to internal security processes and practices are crucial to ensure compliant and robust security hardening. See rConfig terms of service

Introduction

Security hardening is a critical aspect of maintaining the integrity, confidentiality, and availability of any system, especially one as integral as rConfig. In today’s environment, cyber threats are evolving rapidly, and even a minor vulnerability can lead to significant repercussions. Hardening your systems helps mitigate risks, protect sensitive data, and ensure compliance with industry standards.

rConfig has a strong history of prioritizing security. Since its inception, rConfig has only had three Common Vulnerabilities and Exposures (CVEs), and all of these occurred in the older V3 version. This track record demonstrates rConfig’s commitment to maintaining a secure and reliable platform.

This document serves as a comprehensive end-to-end guide for securing rConfig. While much of the content includes generic best practices for securing systems and applications, it has been tailored to address the specific needs and features of rConfig. Following this guide will help ensure your rConfig deployment is robust against evolving threats.

Conduct a Security Assessment

Before you start hardening, it’s essential to know where your vulnerabilities lie. A security assessment will help you identify gaps in your security policies, practices, and tools.

• Perform Vulnerability Scanning: Use tools like Nessus, OpenVAS, or Qualys to scan your systems and infrastructure for vulnerabilities.
• Penetration Testing: Conduct periodic penetration tests to simulate real-world attacks and assess your network’s resistance.
• Security Audits: Have regular security audits done by an external firm to ensure compliance with standards like NIST, ISO 27001, and SOC 2.

Implement Strong Authentication and Access Controls

rConfig offers robust user authentication capabilities, including local user authentication, Active Directory (AD) integration, and Single Sign-On (SSO) with enterprise-grade services. These features provide flexibility and ensure secure access for various organizational needs. For more details, refer to the following resources:

• LDAP Settings
• SSO Overview

Additionally, rConfig employs a strong Role-Based Access Control (RBAC) system, enabling administrators to enforce the Principle of Least Privilege (PoLP) effectively. Adhering to these principles ensures users only have access to the resources necessary for their roles. For implementation details, see the RBAC Guide.

Authentication and authorization are the first line of defense. Here’s how you can harden access:

• Use Multi-Factor Authentication (MFA): Enable MFA for all employees, especially for privileged accounts (admin, root, etc.) and critical applications. This could be through SMS-based or app-based methods like Google Authenticator or hardware tokens (e.g., YubiKeys).
• Principle of Least Privilege (PoLP): Ensure users and administrators only have access to the systems and data they absolutely need to perform their jobs.
• Role-Based Access Control (RBAC): Implement RBAC in your systems, especially in applications like databases, network services, and cloud infrastructure.
• Disable Default Accounts: Remove or disable any default administrative or service accounts in your systems and applications. These can be a target for attackers.

Network Hardening

Your network is often the first line of defense, so securing it is paramount. For rConfig, the main connection ports to consider are as follows:

• Outbound Ports:

  • 80 (HTTP)
  • 443 (HTTPS)
  • SSH and Telnet as required for device communication
  • rConfig server typically only needs outbound internet access to rconfig.com (static IP) for version checks. While not required, this is recommended and should be factored into your firewall strategy.

• Inbound Ports:

  • 80 (HTTP)
  • 443 (HTTPS)
  • Optionally 21 (FTP) and 69/UDP (TFTP) for specific use cases

• Firewalls & Network Segmentation: Use firewalls to limit inbound and outbound traffic to necessary services. Consider network segmentation (e.g., separating internal, external, and DMZ networks) to reduce the risk of lateral movement in the event of a breach.

• Intrusion Detection & Prevention Systems (IDPS): Use tools like Snort, Suricata, or OSSEC to detect and block malicious network activity in real-time.

• VPNs and Encryption: Ensure that all remote access is encrypted (using VPNs, SSL/TLS, or SSH for secure communications) and ensure all internal communications are encrypted.

Server & Endpoint Hardening

For security and system optimization, the ideal setup is for rConfig installations to run on a dedicated server or appliance, not shared with other services. This approach minimizes potential attack vectors and ensures optimal performance. Both physical and virtual servers, as well as user devices, need to be hardened against common attack vectors:

WARNING: You are responsible

System and server management is strictly the customer’s responsibility. While rConfig provides scripts, guides, and recommendations for setup and maintenance, we strive for zero technical debt and no security vulnerabilities. However, this is a shared responsibility. Customers must ensure adherence to internal enterprise policies on patch management, updates, and compliance standards to maintain a secure environment.

Operating System Security

• Minimize Attack Surface: Remove unnecessary software, services, and packages from servers and endpoints to reduce the potential attack surface.
• Patch Management: Ensure that operating systems, applications, and third-party software are up to date with security patches. Use tools like OSSEC, WSUS, or yum-cron for automatic updates.
• Use SELinux/AppArmor: If you are using Linux, ensure SELinux (Security-Enhanced Linux) or AppArmor is configured to enforce access controls.
• Disable Unnecessary Services: Disable unnecessary ports and services (e.g., FTP, Telnet) and only leave those that are required.
• Harden SSH: Configure SSH to disable root login, use key-based authentication, and limit login attempts to prevent brute-force attacks.

Endpoint Protection

• Install and maintain anti-malware/anti-virus software on all endpoints (laptops, desktops, and servers).
• Implement device encryption to protect data in case a device is lost or stolen.
• Enforce mobile device management (MDM) policies on employees’ smartphones and tablets.

Sample SELinux Policy

Note: By default, rConfig disables SELinux as most customers, in our experience, do not use it. However, for customers who do utilize SELinux, the sample policy below can be used to allow and enable rConfig.

• Set SELinux to Enforcing Mode: This is the most secure mode and ensures that SELinux enforces its policies.

  • Use the following command: setenforce 1
  • To make this change persistent across reboots, update the configuration file /etc/selinux/config and set SELINUX=enforcing.

• Define SELinux Rules: Create rules that restrict access to only the required files, processes, and ports.

  • Allow Network Access for HTTPD: To enable HTTPD (Apache) to connect to external networks, execute: setsebool -P httpd_can_network_connect 1.
  • Enable Unified Context for HTTPD: To modify and create templates with HTTPD, enable the unified context: setsebool -P httpd_unified 1.

• Monitor SELinux Logs: Regularly review SELinux logs located at /var/log/audit/audit.log to identify and address unauthorized access attempts or policy violations.

• Policy Testing and Adjustments: Use tools like audit2allow to fine-tune SELinux policies while minimizing disruptions. For example:

  ausearch -m avc -ts today | audit2allow -M my_policy
  semodule -i my_policy.pp

Credential Hardening in UI and Other Locations

• Secure Password Storage: Ensure passwords are hashed using a secure algorithm (e.g., bcrypt, Argon2).
• Password Complexity Enforcement: Enforce policies that require strong passwords, including length and character variety.
• UI Security Measures:
  • Use secure input fields for password entry, preventing auto-completion or copying.
  • Implement reCAPTCHA or similar tools to protect against brute-force attacks in login forms.
• Secure Key Management: Use secure key vaults (e.g., AWS Secrets Manager, HashiCorp Vault) for API keys and credentials.
• Session Management: Ensure session cookies are secure, with HTTP-only and secure flags enabled.

Data Security and Encryption

Securing sensitive data is critical, both at rest and in transit:

• Encrypt Data in Transit: Use TLS/SSL to encrypt sensitive data transmitted over the network. Ensure that all services, including websites, APIs, and email, use HTTPS and that certificates are up-to-date and signed by a trusted certificate authority. For more details, refer to SSL Setup.
• Encrypt Data at Rest: Use full disk encryption (e.g., LUKS for Linux, BitLocker for Windows) for sensitive data stored on servers and workstations. For implementation details, refer to Config Encryption.
• Database Hardening: Use encryption for sensitive fields in databases and employ strong authentication mechanisms for database access. Note that rConfig encrypts credentials and other sensitive data by default, with the encryption key stored in the .env file. This file should be securely backed up at all times. Ensure regular database backups are encrypted.
• Backup Encryption: Ensure that backup files (both on-site and off-site) are encrypted, so that data is protected in case of a breach.

Additional Sections for Security Hardening Guide

Database Platform Security

Customer Responsibility

Database platform security is entirely the customer’s responsibility. rConfig applications connect to customer-managed database instances, and proper hardening of the database infrastructure is critical for overall system security.

Securing the database platform that hosts rConfig data requires attention to both the database server itself and the surrounding infrastructure:

Database Server Hardening

• Database Server OS Hardening: Apply the same operating system hardening principles to database servers as outlined in the Server & Endpoint Hardening section
• Database Service Configuration:
  • Disable unnecessary database features and modules (e.g., xp_cmdshell in SQL Server, file_priv in MySQL)
  • Configure database services to run under dedicated service accounts with minimal privileges
  • Remove or disable default database accounts and sample databases
  • Set appropriate connection timeout values to prevent resource exhaustion

Database Network Security

• Network Isolation: Place database servers in a separate network segment (database tier) from web servers
• Port Security:
  • Change default database ports where possible (MySQL 3306, PostgreSQL 5432)
  • Use firewalls to restrict database port access to only authorized application servers
  • Implement database connection encryption (SSL/TLS) for all connections
• Connection Limits: Configure maximum concurrent connections to prevent denial-of-service attacks

Database Access Controls

• Privilege Separation: Create separate database users for different application functions with minimal required privileges
• Connection Security: Use connection strings that specify SSL requirements and certificate validation
• Audit Logging: Enable database audit logging for:
  • Failed authentication attempts
  • Privilege escalation activities
  • Data definition language (DDL) changes
  • Bulk data operations

Database Backup Security

• Backup Encryption: Ensure all database backups are encrypted using strong encryption algorithms
• Backup Storage: Store encrypted backups in secure locations separate from the production database server
• Backup Testing: Regularly test backup restoration procedures to ensure data integrity and recovery capabilities
• Backup Access Controls: Limit access to backup files and implement proper authentication for backup systems

Enhanced Monitoring and Alerting

Integration Required

Effective monitoring requires integration with your existing SIEM, log management, and alerting infrastructure. The monitoring data from rConfig systems should be correlated with other security events across your environment.

Comprehensive monitoring and alerting are essential for detecting security incidents and maintaining system health in enterprise environments:

Infrastructure Monitoring

• System Resource Monitoring:

  • Monitor CPU usage patterns for unusual spikes that could indicate cryptomining or other malicious activity
  • Track memory consumption and alert on rapid memory growth
  • Monitor disk space utilization and I/O patterns
  • Set up alerts for system service failures or unexpected restarts

• Network Traffic Analysis:

  • Monitor unusual outbound connections from rConfig servers
  • Track data transfer volumes and patterns to detect potential data exfiltration
  • Alert on connections to known malicious IP addresses or domains
  • Monitor for lateral movement attempts within your network

• File System Monitoring:

  • Implement file integrity monitoring (FIM) for critical system files and directories
  • Monitor the rConfig application directory for unauthorized changes
  • Track changes to configuration files, especially .env files
  • Alert on creation of unusual files or directories

Security Event Monitoring

• Authentication Monitoring:

  • Log and alert on failed authentication attempts, especially brute force patterns
  • Monitor for unusual login times or locations
  • Track privilege escalation events
  • Alert on multiple concurrent sessions for the same user account

• Application Monitoring:

  • Monitor web server access logs for suspicious patterns or attack signatures
  • Track database query patterns for potential SQL injection attempts
  • Alert on unusual API usage patterns or rate limit violations
  • Monitor for unauthorized access attempts to sensitive endpoints

Log Management and Correlation

• Centralized Logging: Send all rConfig system logs to your centralized log management system (SIEM)
• Log Retention: Maintain appropriate log retention periods per your compliance requirements
• Event Correlation: Implement rules to correlate events across multiple systems and identify attack patterns
• Automated Response: Configure automated responses for critical security events (e.g., account lockouts, service isolation)

Business Continuity (Vector and Enterprise Customers)

Enterprise Feature

This section applies specifically to rConfig Vector and Enterprise customers who require high availability and comprehensive disaster recovery capabilities for mission-critical network management operations.

Enterprise-grade business continuity planning ensures minimal disruption to network management operations during both planned maintenance and unexpected incidents:

rConfig BCP and HA Support

rConfig Vector and Enterprise editions include built-in support for high availability and disaster recovery features. For detailed configuration guidance, refer to the rConfig High Availability Guide. Contact us for advise and assistance with your specific business continuity requirements.

High Availability Architecture

• Load Balancing and Redundancy:

  • Deploy multiple rConfig application servers behind a load balancer for active-active configurations
  • Implement database clustering or master-slave replication for database high availability
  • Use shared storage solutions or database replication to ensure data consistency across instances
  • Configure automatic failover mechanisms with health checks

• Geographic Distribution:

  • Consider multi-site deployments for geographically distributed organizations
  • Implement database replication across sites with appropriate lag monitoring
  • Ensure network connectivity and security between sites

Disaster Recovery Planning

• Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO):

  • Define acceptable downtime limits for network management operations
  • Establish maximum acceptable data loss timeframes
  • Document recovery procedures with step-by-step instructions
  • Regularly test disaster recovery procedures and update documentation

• Backup and Restoration:

  • Implement automated, encrypted backups of both application data and system configurations
  • Maintain backups in multiple locations, including off-site storage
  • Test backup integrity and restoration procedures monthly
  • Document bare-metal recovery procedures for complete system reconstruction

Operational Continuity

• Maintenance Windows:

  • Establish change management procedures for system updates and maintenance
  • Plan maintenance windows during low-impact periods
  • Implement rolling update procedures to maintain service availability
  • Maintain emergency rollback procedures

• Incident Response:

  • Define escalation procedures for system outages or security incidents
  • Maintain current contact information for all stakeholders
  • Establish communication procedures for notifying users of system status
  • Document post-incident review processes for continuous improvement

Monitoring and Testing

• Availability Monitoring:

  • Implement comprehensive uptime monitoring with external monitoring services
  • Set up automated health checks for all system components
  • Configure alerting thresholds that align with your RTO requirements
  • Monitor key performance indicators (KPIs) for system performance

• Regular Testing:

  • Conduct quarterly disaster recovery tests with full system restoration
  • Perform annual business continuity exercises involving all stakeholders
  • Test failover procedures under controlled conditions
  • Document and address any issues identified during testing

Documentation and Training

• Runbook Maintenance:

  • Maintain detailed operational runbooks for all system administration tasks
  • Document all custom configurations and integrations
  • Keep emergency contact lists and escalation procedures current
  • Ensure documentation is accessible during outage scenarios

• Staff Training:

  • Provide regular training on disaster recovery procedures
  • Cross-train multiple staff members on critical system operations
  • Conduct tabletop exercises for incident response scenarios
  • Maintain current certifications for key technical staff

Backups

To protect against ransomware and other threats, regular system backups should be taken. While rConfig’s backup feature offers basic convenience, it may be ineffective if disks or other system components become compromised. Customers must implement comprehensive backup systems and processes aligned with corporate policies to protect themselves and ensure business continuity. These backups should be stored securely, with encryption and regular testing of restore procedures, to guarantee data recovery in the event of an incident.

CRITICAL: Enterprise Backup Requirements

Enterprise environments MUST maintain comprehensive backup and snapshot strategies:

• Database Snapshots: Create full database backups including all configuration data, device inventories, and historical records
• Application Snapshots: Take complete system snapshots or VM snapshots if running in virtualized environments
• Configuration Files: Backup all rConfig configuration files, custom scripts, and integration settings
• Verify Backup Integrity: Test backup restoration procedures regularly - untested backups are unreliable backups
• Document Recovery Procedures: Ensure your team has documented, tested rollback procedures

Production systems should NEVER be updated without verified, tested backups. System failures, data corruption, or compatibility issues during updates can result in significant downtime and data loss in enterprise environments.

Contact your system administrator or backup team to confirm all enterprise backup procedures are completed before proceeding.