[Freeipa-users] Hardening freeipa on the internet
Petr Spacek
pspacek at redhat.com
Fri Apr 25 09:00:22 UTC 2014
On 25.4.2014 10:11, Martin Kosek wrote:
> On 04/25/2014 09:50 AM, Andrew Holway wrote:
>> Hello,
>>
>> I am having a think about running freeipa on the open seas for more
>> distributed organisations and would like to understand where the
>> weaknesses might be. I would almost certainly only make the ui
>> unavailable however I am unsure about the other services.
>>
>> Would this be a workable?
>>
>> Thanks,
>>
>> Andrew
>
> That's actually a very good question. I am currently working on a public
> FreeIPA demo on Red Hat OpenStack platform which I will make available in
> upcoming weeks and have few pointers for you:
>
> 1) If you have DNS configured, make sure that your FreeIPA DNS does not pose as
> open DNS resolver to avoid DNS amplification attacks.
>
> Following extension to named.conf options should be a good start:
>
> allow-transfer {"none";};
This configuration applies only to zones defined in named.conf and not to
FreeIPA zones defined in LDAP.
Make sure that allow-transfer is configured for FreeIPA zones:
$ ipa dnszone-mod --allow-transfer="none;" example.
> allow-recursion {"none";};
> recursion no;
> version "[Secured]";
> rate-limit {
> responses-per-second 15;
You may need to modify this value to fit your needs.
Further reading about DNS amplification attacks:
http://www.us-cert.gov/ncas/alerts/TA13-088A
Further reading about Response Rate Limiting:
http://bkraft.fr/blog/bind_RRL_feature/
https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html
https://kb.isc.org/article/AA-00994/0
> };
>
> 2) Prevention for NTP amplification attack
>
> More info here:
> https://support.steadfast.net/Knowledgebase/Article/View/106/0/preventing-ntp-amplification-attacks
Further reading about NTP amplification attacks:
http://www.us-cert.gov/ncas/alerts/TA14-013A
> Does anybody know about other precautions that should be made besides standard
> hardening (SELinux, firewall, log audits)?
I wonder if Kerberos over UDP could have the same problem... Maybe only if you
have some principals with disabled pre-authentication. I don't know. Kerberos
is not listed on
http://www.us-cert.gov/ncas/alerts/TA14-017A ...
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list