Hardening of servers in production environment

From PlcWiki

Jump to: navigation, search

1. Fedora outdated – Concerns only to Workstations

  • Fedora version depends on available hardware. Old PCs on the assembly line can’t be updated. There are about 650 workstations in SAS worldwide.
  • No desktop users use these computers
  • Possible solution – access only from Kernel server (local firewall – iptables)

2. Anonymous ftp kickstart root password clear text

  • Already fixed in latest release of the installation.

3. passwords easy to divine --> migration to key based ssh login only?

  • No problem to use the key based ssh login only

4. FTP protocol to SFTP or any others (ssh) ftp access is used for:

  • Access to rpm repositories – no problem to change it to https
  • LES emergency data – needs to be discussed with Santi
  • Other cases need to be checked on all servers individually

5. http -> https

  • Who will be the certification authority? Then we can use the https and the certificate

6. CIFS v.1 CIFS v.2

  • Martine, jaký CentOS je potřeba pro update na CIFS v.2? Lze i starší?

7. Apache outdated

  • Apache httpd can be uninstalled
  • Apache Tomcat can use https
  • Old versions of Apache Tomcat can be updated with an update of operating system (CentOS)

8. Zabbix outdated

  • Can be updated with an update of operating system (CentOS)

9. PHP outdated

  • PHP is not used for CLEVER. It is necessary to check, if there are any other applications installed by any third party user.

10. Samba outdated

  • Can be updated with an update of operating system (CentOS)

11. phpMyAdmin outdated

  • Can be uninstalled, CLEVER doesn’t use it

12. TLS 1.2 desired 

           	???

13. usage of current and valid certificates

Retrieved from "https://plcwiki.clever.cz/index.php/Hardening_of_servers_in_production_environment"
Personal tools