[Freeipa-users] Hardening freeipa on the internet
Martin Kosek
mkosek at redhat.com
Fri Apr 25 08:11:15 UTC 2014
On 04/25/2014 09:50 AM, Andrew Holway wrote:
> Hello,
>
> I am having a think about running freeipa on the open seas for more
> distributed organisations and would like to understand where the
> weaknesses might be. I would almost certainly only make the ui
> unavailable however I am unsure about the other services.
>
> Would this be a workable?
>
> Thanks,
>
> Andrew
That's actually a very good question. I am currently working on a public
FreeIPA demo on Red Hat OpenStack platform which I will make available in
upcoming weeks and have few pointers for you:
1) If you have DNS configured, make sure that your FreeIPA DNS does not pose as
open DNS resolver to avoid DNS amplification attacks.
Following extension to named.conf options should be a good start:
allow-transfer {"none";};
allow-recursion {"none";};
recursion no;
version "[Secured]";
rate-limit {
responses-per-second 15;
};
2) Prevention for NTP amplification attack
More info here:
https://support.steadfast.net/Knowledgebase/Article/View/106/0/preventing-ntp-amplification-attacks
Does anybody know about other precautions that should be made besides standard
hardening (SELinux, firewall, log audits)?
Thanks,
Martin
More information about the Freeipa-users
mailing list