Security Hardening for Rockstor

This is a repost from duncaninnes

As Rockstor is based on CentOS 7, should be able to follow some of the hardening benchmarks in the CISecurity docs for RHEL7. Not all well apply of course, but they’re a good starting point.

That sounds like good idea. Is this the document you are talking about?

https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.0.0.pdf

If not, please post a link if available.

Yup, that’s the one. Still needs work, but it’s in a pretty good place already.

2 Likes

Searching for security as a keyword I stumbled over this post.

I haven’t read the pdf yet, but one thing has to be fixed pretty soon, because I already know a few people using rockstor as a replacement for their “other” NAS software.
Most of them allow external IPs to access the NAS, a lot of them also use simple IP forwarding instead of specific ports. Therefor I am missing a simple tool in the standard centos repository which would make rockstor a little bit more secure from the start
"fail2ban"
with the default settings it would save a lot of peoples lifes especially SSH access from the outside. rockstor has a root user per default, and is not giving the ability at the time of installation to overcome this (like ubuntu does). which has no root but a named user for granting sudo rights.

Nevertheless, a lot of scriptkiddies use SSH access and user root to guess the password, fail2ban would overcome this problem which most of the “standard” NAS users wouldn’t even recognized that they got hacked.

1 Like

there is a centos7 cis as well

https://benchmarks.cisecurity.org/tools2/linux/CIS_CentOS_Linux_7_Benchmark_v1.1.0.pdf

Hi,

I read through the document and there are some really good advices written down. Some of them are a little too much but nevertheless, I would appreciate to have a list of all actions which can be taken.
After that it is necessary which of the actions should be taken on rockstor and which are not necessary (this has to be documented).
After that every action needs a release date where it was added.

At the end, ther should be a rockstor_audit script checking every rockstor installation on demand if it is still compliant to the actions taken.

looking forward to making rockstor more secure, at the moment I am not convinced about rockstor security.

by the way, this would be a major benefit for business customers :wink:

1 Like

That sounds great @herbert. I do like to document a matrix/table which lists all possibilities, implementation status, notes etc… A wikified post is perhaps a good start. Feel free to get started on it, it might take me some time to get to it myself.

i gonna start with this in a few days. lets see where it leads us.

I know this thread is REALLY old, but I am really wanting fail2ban to be included as well. A NAS without security is just asking for issues. I use CentOS for all my servers currently and the first thing I do for clean installs is I install Fail2Ban and configure the firewall to close all ports except those required. I currently have Rockstor running in a VM and I am going to experiment with getting Fail2Ban configured and running.

1 Like

Looking forward to hearing about any progress on this.