Eyeglass Appliance Security Hardening Guide


Eyeglass Service Account

Use the eyeglass service account when adding the Isilon clusters to Eyeglass.

Reference: http://documentation.superna.net/eyeglass-isilon-edition/tech-notes/isilon-cluster-user-minimum-privileges-for-eyeglass

Security Vulnerability: TLS Server supports TLSv1.0 and SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)

Mitigation 1: SSLv2 and SSLv3 disabled for lighttpd (default setting)

Mitigation 2: Disable TLS1.0 and 1.1 for lighttpd by following the steps below:

  1. ssh to eyeglass appliance as admin user

  2. Type admin password (default password: 3y3gl4ss)

  3. sudo su - (Syntax: sudo<space>su<space>-)

  4. Type admin password (default password: 3y3gl4ss)

  5. edit /etc/lighttpd/lighttpd.conf

on line 426, you will see:

ssl.cipher-list             = "aRSA+HIGH !3DES +kEDH +kRSA !kSRP !kPSK"

replace this cipher list with the one below

ssl.cipher-list = "TLSv1.2:!aNULL:!eNULL:!DSS"


  1. Press Esc key and :wq! to save the changes.

  2. Run this command: systemctl restart lighttpd

  3. Done

Mitigation 3: Disable TLS1.0 and 1.1 and SSLv2 and SSLv3 for websockets (port 2011 and port 2012) by following the steps below:

  1. ssh to eyeglass appliance as admin user

  2. Type admin password (default password: 3y3gl4ss)

  3. sudo su - (Syntax: sudo<space>su<space>-)

  4. Type admin password (default password: 3y3gl4ss)

  5. edit /opt/superna/java/jre1.8.0_05/lib/security/java.security

On line 518, you will see:

#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048

Replace this with one below:

jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048, SSLv2Hello, SSLv3, TLSv1, TLSv1.1


  1. Press Esc key and :wq! to save the changes.

  2. Type this command to restart the eyeglass service: systemctl restart sca

  3. Done



Security Vulnerability: OpenSSH X11 Command Injection Vulnerability

Mitigation: Upgrade OpenSSH_6.6.1p1 to OpenSSH-7.2.p2-by following the steps below.[This guide will  address the “Security Vulnerability: OpenSSH X11 Command Injection Vulnerability” issue on OpenSuse 13.2]

Reference: CVE ID: CVE-2016-3115

If your Eyeglass appliance is connected directly to the internet, please follow the online upgrade guide, or else follow the Offline upgrade guide.

FOR ONLINE OpenSSH Upgrade:


[IMPORTANT: Please take a “vCenter” snapshot of your current Eyeglass Appliance before conducting the openSSH Package upgrade.]

  1. ssh to Eyeglass appliance as admin user

  2. Type admin password (default password: 3y3gl4ss)

  3. sudo su - (Syntax: sudo<space>su<space>-)

  4. Type admin password (default password: 3y3gl4ss)

  5. Run “ssh -V” to determine your openSSH package version
    [Following upgrade procedure is applied to openSSH_6.6.1p1 → 7.2p2]




  1. Install “wget” to securely copy the RPM file on to your Eyeglass appliance
    zypper install wget


  2. Download the latest openSSH community build [openSSH-7.2-p2-142.4.x86_64.rpm] for our OS using “wget”.
    wget http://download.opensuse.org/repositories/network/openSUSE_13.2/x86_64/openssh-7.2p2-142.4.x86_64.rpm


  3. Change permission of the RPM file to 700.



.

  1. Upgrade the current version of openSSH from openSSH_6.6.1p1 → 7.2p2 by running the command:

    rpm -Uvh openssh-7.2p2-142.4.x86_64.rpm


    [above command will upgrade openSSH package. It is IMPORTANT to check connectivity after upgrading]

  2. Run “systemctl status sshd” to ensure sshd service is up and running


  3. Check the version of SSH after upgrading:
    ssh -V


  4. IMPORTANT: Use another putty session to login to your Eyeglass appliance and check SSH connectivity. Also, login to your Eyeglass appliance from clusters using SSH tunnel to ensure application integrity.

    i.e.: In the screenshot, we are trying to SSH to our Eyeglass appliance from oneFS cluster. IP:172.16.85.176 is our Eyeglass appliance IP.


.

.

FOR OFFLINE OpenSSH Upgrade:

[IMPORTANT: Please take a “vCenter” snapshot of your current Eyeglass Appliance before conducting the openSSH Package upgrade.]


  1. Browse to the following website and download the appropriate RPM package for openSSH7.2:
    [http://download.opensuse.org/repositories/network/openSUSE_13.2/x86_64/]

    You will be presented with a list of available RPM. Click on the .rpm file you want to download. In our case, we downloaded the openssh-7.2p2-142.4.x86_64.rpm


  2. If you are using “Windows” OS, typically the file will be download in “C:\users\xxx\Downloads” folder.

  3. Download “WinSCP” and copy the RPM file over to your Eyeglass Appliance. Our dir location “/home/admin


  4. Change file permission by right click on the .rpm file. Then go to properties.



  1. Set the file permission to 0700




  2. ssh to Eyeglass appliance as admin user

  3. Type admin password (default password: 3y3gl4ss)

  4. sudo su - (Syntax: sudo<space>su<space>-)

  5. Type admin password (default password: 3y3gl4ss)

  6. Browse to “/home/admin” [where you saved the .rpm file] and upgrade the current version of openSSH from openSSH_6.6-1p1 → 7.2p2 by running the command:

    rpm -Uvh openssh-7.2p2-142.4.x86_64.rpm


    [above command will upgrade openSSH package. It is IMPORTANT to check connectivity after upgrading]

  7. Run “systemctl status sshd” to ensure sshd service is up and running



  8. Check the version of SSH after upgrading:

    ssh -V


.

  1. IMPORTANT: Use another putty session to login to your Eyeglass appliance and check SSH connectivity. Also, login to your Eyeglass appliance from clusters using SSH tunnel to ensure application integrity.

    i.e.: In the screenshot, we are trying to SSH to our Eyeglass appliance from oneFS cluster. IP:172.16.85.176 is our Eyeglass appliance IP.