Manualshelf

HP OSMS white paper: Security of Open Source Middleware Stacks

ManualsBrandsHP ManualsSoftwareHP Linux Caliper Software Electronic LTU
11121314151617181920
Addressing Configuration Weaknesses
Regardless of which operating system or components might be present, your system’s security depends
on the state of its deployed configuration. A misconfigured system can undermine all other security
designs.
The following is a list of configuration “best practices.” Following these essential practices can help you
avoid many common security pitfalls in newly installed systems.
Password management tasks Do not retain default passwords for any component or account. Search
for and eliminate default account passwords.
Use the following Web search prove to yourself that default
passwords are common knowledge and easily exploitable:
http://www.google.com/search?q=default+password
The mysql_install_db executable completes a MySQL installation, which initializes
accounts with the username root and gives them superuser privileges. These accounts
start off with empty passwords, and if the passwords are not changed, connections using
the root account do not require passwords and yet possess all privileges.
For more information, see the MySQL Web site at:
http://www.mysql.com
Require strong passwords to deter a brute force attack
PAM modules can aid the enforcement of password policies by
checking for password strength. For more information, see the
Linux-PAM Web page at:
http://www.kernel.org/pub/linux/libs/pam
Expire old passwords on a regular schedule.
Passwords that gain access to critical systems should age the quickest.
The more critical the item, the less time a password should be used.
Audit your machines to ensure compliance with the password policy.
Account management tasks Limit the number of failed login attempts to deter brute force attacks.
Given enough time and if the passwords are weak, brute force attacks
can bypass even the strong encryption of SSH. To prevent this, limit
login attempts with PAM or by component configurations such as
those found in OpenSSH.
Limit access of privileged accounts from remote locations.
For instance, the root account should not permit remote logins.
Limiting remote logins can curtail privilege escalation of remote
attacks.
Enable firewall rules to limit where remote logins can occur.
By allowing logins only from the local subnet and by using a virtual
private network (VPN), the system is protected from login attempts
by unknown network addresses.
Use the principle of least privilege when assigning user and process
rights.
Remember this principle when managing user accounts and
give users just enough permission to get their job done.
Use the sudo account and use it instead of root account logins,
disabling the root user.
Essential Security 17