[Freeipa-users] Hardening freeipa on the internet

Petr Spacek pspacek at redhat.com
Mon Apr 28 13:08:02 UTC 2014 

On 25.4.2014 11:00, Petr Spacek wrote:
> On 25.4.2014 10:11, Martin Kosek wrote:
>> On 04/25/2014 09:50 AM, Andrew Holway wrote:
>>> Hello,
>>>
>>> I am having a think about running freeipa on the open seas for more
>>> distributed organisations and would like to understand where the
>>> weaknesses might be. I would almost certainly only make the ui
>>> unavailable however I am unsure about the other services.
>>>
>>> Would this be a workable?
>>>
>>> Thanks,
>>>
>>> Andrew
>>
>> That's actually a very good question. I am currently working on a public
>> FreeIPA demo on Red Hat OpenStack platform which I will make available in
>> upcoming weeks and have few pointers for you:
>>
>> 1) If you have DNS configured, make sure that your FreeIPA DNS does not pose as
>> open DNS resolver to avoid DNS amplification attacks.
>>
>> Following extension to named.conf options should be a good start:
>>
>>          allow-transfer {"none";};
> This configuration applies only to zones defined in named.conf and not to
> FreeIPA zones defined in LDAP.
>
> Make sure that allow-transfer is configured for FreeIPA zones:
> $ ipa dnszone-mod --allow-transfer="none;" example.
>
>>          allow-recursion {"none";};
>>          recursion no;
>>          version "[Secured]";
>>          rate-limit {
>>              responses-per-second 15;
> You may need to modify this value to fit your needs.
>
> Further reading about DNS amplification attacks:
> http://www.us-cert.gov/ncas/alerts/TA13-088A
>
> Further reading about Response Rate Limiting:
> http://bkraft.fr/blog/bind_RRL_feature/
>
> https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html
>
>
> https://kb.isc.org/article/AA-00994/0
>
>>          };
>>
>> 2) Prevention for NTP amplification attack
>>
>> More info here:
>> https://support.steadfast.net/Knowledgebase/Article/View/106/0/preventing-ntp-amplification-attacks
>>
>
> Further reading about NTP amplification attacks:
> http://www.us-cert.gov/ncas/alerts/TA14-013A
>
>> Does anybody know about other precautions that should be made besides standard
>> hardening (SELinux, firewall, log audits)?
>
> I wonder if Kerberos over UDP could have the same problem... Maybe only if you
> have some principals with disabled pre-authentication. I don't know. Kerberos
> is not listed on
> http://www.us-cert.gov/ncas/alerts/TA14-017A ...

I realized that you probably want to disable anonymous access to LDAP. It will 
prevent random strangers to enumerate all users in your database...

-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list