Amanda Enterprise Server Enhanced Security Configurations

This article is for Amanda Enterprise (AE)

Information security has increasingly become critically important at all levels, from small to medium sized businesses, enterprises, universities and even home users.

Disabling ICMP Redirects

Malicious users can use specially crafted ICMP request messages to launch Denial of Service attacks against the network. If ICMP redirects are not used in your network design to update route tables and the backup server is not also acting as a router or a gateway then ICMP Redirect accept and send messages should be disabled. It is simple to disable ICMP redirection in Linux (and many other Unix-like operating systems) by means of the proc filesystem (procfs) and procfs itself is easiest to work with through an interface like sysctl.

Disabling ICMP Redirects Accept and Send at runtime for all interfaces is done with sysctl by issuing the following commands.

Disabling ICMP Redirects for IPv4 at runtime:

Root@host# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects = 0
Root@host# /sbin/sysctl -w net.ipv4.conf.all.send_redirects = 0

Disabling ICMP Redirects for IPv6 at runtime:

Root@host# /sbin/sysctl -w net.ipv6.conf.all.accept_redirects = 0
Root@host# /sbin/sysctl -w net.ipv6.conf.all.send_redirects = 0

If you wish to specify an interface, e.g. eth0, then you would replace 'all' in the above examples with the name of the interface. I.e.:

Root@host# /sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects = 0

This, however, is a poor method because changes will not be persistent to a reboot. It is better to modify the /etc/sysctl.conf file for a permanent change if ICMP Redirects accept and send are not required.

Modifying sysctl.conf for RHEL-like and SLES-like operating systems:

# For IPv4
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# For IPv6
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.send_redirects = 0

Modifying sysctl.conf for Ubuntu and Debian-like operating systems:

# For IPv4
net/ipv4/conf/all/accept_redirects = 0
net/ipv4/conf/all/send_redirects = 0

# For IPv6
net/ipv6/conf/all/accept_redirects = 0
net/ipv6/conf/all/send_redirects = 0

Apache Configuration

The Zmanda Management Console (ZMC) is powers the Apache HTTP Server (httpd). As such, all security considerations that would be applicable for any other production HTTP server also apply to the ZMC. The configuration files for the Zmanda httpd instance can be found in the directory /opt/zmanda/amanda/apache2/ on the file system.

Zmanda works diligently to make sure the default configuration of httpd is secure, but it is important to keep up to date with Apache Security Updates as well.

Some common issues you may experience if using an older version of Amanda Enterprise include:

X.509 Server Certificates

Zmanda does not come packaged with an X.509 server certificate. If a user wishes to implement an X.509 then it will need to purchased or otherwise generated for use with the Apache HTTP Server.

httpd.conf

In some older versions of Zmanda you may find that the Set-Cookie HTTP response header is missing HttpOnly. Add the following entry in httpd.conf:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Restart the ZMC using: /etc/init.d/zmc_aee restart.

ssl.conf

In older versions of Zmanda you may want to increase the strength of ciphers that are used, and enforce their priority. Find the following line in ssl.conf and either comment it out or remove it:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:RC4+RSA:+HIGH

With the previous line commented out or removed, add the following two lines:

SSLHonorCipherOrder On

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

For additional information regarding the ciphers, and to ensure that your configuration complies with your security policy: be sure to check the documentation of openssl.

SELinux

For enforcing additional levels of security by means of mandatory access controls (MAC), it is advisable to implement SELinux. SELinux is implemented in many popular Linux distributions and additional information regarding using it and Amanda Enterprise in tandem can be found in the article SELinux and Amanda Enterprise.