Hardening of servers in production environment

From PlcWiki

---

Current revision as of 12:32, 10 September 2021

1. Fedora outdated – Concerns only to Workstations

• Fedora version depends on available hardware. Old PCs on the assembly line can’t be updated. There are about 650 workstations in SAS worldwide.
• No desktop users use these computers
• Possible solution – access only from Kernel server (local firewall – iptables)

2. Anonymous ftp kickstart root password clear text

• Already fixed in latest release of the installation.

3. passwords easy to divine --> migration to key based ssh login only?

• No problem to use the key based ssh login only

4. FTP protocol to SFTP or any others (ssh) ftp access is used for:

• Access to rpm repositories – no problem to change it to https
• LES emergency data – needs to be discussed with Santi
• Other cases need to be checked on all servers individually

5. http -> https

• Who will be the certification authority? Then we can use the https and the certificate

6. CIFS v.1 CIFS v.2

• Martine, jaký CentOS je potřeba pro update na CIFS v.2? Lze i starší?

7. Apache outdated

• Apache httpd can be uninstalled
• Apache Tomcat can use https
• Old versions of Apache Tomcat can be updated with an update of operating system (CentOS)

8. Zabbix outdated

• Can be updated with an update of operating system (CentOS)

9. PHP outdated

• PHP is not used for CLEVER. It is necessary to check, if there are any other applications installed by any third party user.

10. Samba outdated

• Can be updated with an update of operating system (CentOS)

11. phpMyAdmin outdated

• Can be uninstalled, CLEVER doesn’t use it

12. TLS 1.2 desired

           	???

13. usage of current and valid certificates