Transcription
CITRIXXENSERVER FREE/ADVANCED 5.6HARDENING GUIDEFOR ANY IDEAS OR RECLAMATIONSMAIL TO: KERMAKOV@PTSECURITY.RU
CONTENTS1.GENERAL SYSTEM SETTINGS. 31.1Services started with Citrix XenServer . 31.2Time synchronization configuration. 41.3Usage of SSHv2 . 41.4Usage of AES cryptoalgorithm for SSH . 41.5Restrict root login via SSH . 51.6Limit access to su command. 51.7Forbid login to single user mode without password . 61.8extlinux loader password . 61.9Activate password storing in /etc/shadow file . 61.10 Ensure that there are no users with empty passwords . 71.11 Ensure that passwd and shadow and files and system group files do not include « ». 71.12 Install Citrix XenServer server certificates . 71.13 Update vulnerable packages . 81.14 Store password history . 91.15 Configure unsuccessful login attempts logging and limit additional attempts . 91.16 Password policy configuration . 102.SYSTEM NETWORK CONFIGURATION . 112.1Separate network interfaces by task . 112.2Restrict unencrypted connections to XAPI . 122.3Use encrypted connections in data transferring network . 132.4Configure umask creation for VHD files . 132.5Remote NFS storage configuration . 142.6Disable promiscuous mode for network cards on virtual machines . 152.7OS kernel network settings configuration . 152.8Firewall configuration . 153.XENSERVER HYPERVISOR SETTINGS . 173.1Disable debug mode for xenstored . 173.2Configure shared secret for «pool» mode . 173.3Disable debug mode for xapi demon . 173.4Configure xenstored demon logging . 183.5Disable vncterm automatic logon into dom0 as a root . 183.6Disable xsconsole autorun as a root on tty1 . 183.7Configure PAM in XAPI module . 193.8Disable testing mode in xsconcole . 203.9Disable default web page . 204.VIRTUAL MACHINE SETTINGS . 204.1Limit log file size . 204.2Disable unused virtual devices. 214.3Disable service console redirection. 21CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 2 of 21
1.GENERAL SYSTEM SETTINGSThis chapter covers general system settings. The introduced protection methods are the same as usedfor usual servers based on OS Linux.1.1Services started with Citrix XenServerWe recommend you to limit services started with the system by default.How to fix:Do the following for all unused services:chkconfig servicename offwhere servicename is a service name.The results for a separately installed XenServer 5.6 server may be as follows:chkconfig --list grep istributionxen-domain-uuidxenservicesCITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 3 of 21
1.2Time synchronization configurationTime synchronization is necessary for correct cooperation of XenServer hosts individually or in poolmode. You can use your own NTP server or default time servers.How to fix:Add the following strings into /etc/ntp.conf file (address rhel.pool.ntp.org is an example):server 0.rhel.pool.ntp.orgserver 1.rhel.pool.ntp.orgserver 2.rhel.pool.ntp.orgStart NTP server:/etc/init.d/ntpd startchkconfig ntpd on1.3Usage of SSHv2You can use SSH to access Service Console. In this case, disable insecure authentication methods andsome other settings from the list below:How to fix:Configure the following settings in /etc/ssh/sshd config file:Protocol 2IgnoreRhosts yesRhostsRSAAuthentication noHostbasedAuthentication noPermitEmptyPasswords noReboot sshd for the modifications to take effect:/etc/init.d/sshd restart1.4Usage of AES cryptoalgorithm for SSHWe recommend to use AES cryptoalgorithm for SSH traffic. It is more secure than previously used, andopposite to Blowfish and other cryptoalgorithms (supported by OpenSSL library), the great number ofclient devices support it.How to fix:Set Ciphers option in /etc/ssh/sshd config configuration file:Ciphers aes256-cbc,aes128-cbcCITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 4 of 21
Reboot sshd for the modifications to take effect:/etc/init.d/sshd restart1.5Restrict root login via SSHWe recommend you to restrict root login via SSH for secure purposes. This measure helps to preventroot password brute force attacks, and also make it easier to investigate incidents in case several usersare aware of the password.How to fix:Set the following option in /etc/ssh/sshd config configuration file:PermitRootLogin noReboot sshd for the modifications to take effect:/etc/init.d/sshd restart1.6Limit access to su commandsu command allows users to execute the shell with the privileges of a specified user, mostly root. Werecommend you to grant access to the command only for Citrix XenServer server administrators: includethe administrators into wheel group and then enable access limitations that means that only wheelmembers are able to execute su command.Note. Depending on the company’s security policy, su can be forbidden in the system. In this case, youcan execute privileged operations via sudo, and wheel group should not include users.How to fix:Do the following for every user (admin is an example):usermod -G wheel adminThen, enable access to su command for wheel members only. Ensure that /etc/pam.d/su fileincludes the following string (not in comments):auth required pam wheel.so use uidIf su is forbidden, ensure that wheel do not include users via contents of files from /etc/passwdfolder (primary group) and /etc/group folder (secondary groups).CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 5 of 21
1.7Forbid login to single user mode without passwordCitrix XenServer is based on RedHat Linux, therefore it also supports single user mode. You can activateit via loader settings. Default settings allow all users to access console with root privileges. This allowsattackers with access to Citrix XenServer local console get root privileges and execute arbitrarycommands on the vulnerable server. Therefore, we recommend you to configure passwordauthentication to change to single user mode.How to fix:Add the following entry into /etc/inittab file: :S:wait:/sbin/suloginOr edit an existed string with “S” in the second field.1.8extlinux loader passwordOS Citrix XenServer loader allows you to configure a great number of OS kernel settings, including acommand used to change to single user mode. By default, OS load options are not protected bypassword that allows attackers with physical access to Xen server local console to set unauthorized OSloading options. To prevent the situation, we recommend you to set password for loader management.Ensure that only super user has access to the service console loader configuration file forreading/writing.How to fix:Execute the following command in Service Console as a root:echo пароль загрузчика sha1sumchown root:root /boot/extlinux.confchmod 600 /boot/extlinux.confThen, add the 40 hash characters into /boot/extlinux.conf file (global sections of loader settings):menu master passwd password sha1 hash 1.9Activate password storing in /etc/shadow fileOS Citrix XenServer does not store password hashes in a separate file (/etc/shadow) according topam unix.so module default settings. Therefore, if an account exists in the system, an attacker canaccess it. We recommend you to reconfigure the system to prevent this situation.How to fix:Edit /etc/pam.d/system-auth file as follows:passwordsufficientnullok md5 shadowpam unix.so try first pass use authtokCITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 6 of 21
Execute the following command:pwconvReboot the operating system.1.10 Ensure that there are no users with empty passwordsAn attacker can use user accounts without passwords to login. Ensure that all user accounts havepasswords or blocked via «!!». Here is an example (/etc/shadow):vncterm base:!!:15278:0:99999:7:::How to fix:Set passwords for all accounts. Use passwd command, or block unused accounts via usermod –L username command.1.11Ensure that passwd and shadow and files and system group files do not include« »« » characters in used in accounts and passwords system configuration files as to insert NIS values. Werecommend you to delete such entries to protect the system security. Here is an example of such entryfrom /etc/shadow file:username: :15278:0:99999:7:::How to fix:Delete these settings from service files.1.12Install Citrix XenServer server certificatesWe recommend you to install custom .pem SSL certificates to prevent certificate spoofing.How to fix:Do the following to install CA certificate:Link a key media to the system.Execute the following command:xe pool-certificate-install filename /path/to/ca-cert.pem where /path/to/ca-cert.pem is a certificate file path on the external media.Do the following to add a server certificate:Mount the key media.Execute the following commands:CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 7 of 21
service xapi stoppkill stunnelcp /etc/xensource/xapi-ssl.pem /etc/xensource/orig-xapi-ssl.pemcp /path/to/new/cert.pem /etc/xensource/xapi-ssl.pemservice xapi startDo the following to enable SSL certificate checks:touch /var/xapi/verify certificates1.13Update vulnerable packagesIt is known that OS Citrix XenServer is based on RedHat Linux 5. Citrix policy states that patch updatesare usually issued twice a year. The system package often includes rather old versions. In spite of Citrixnotifications that these packages do not include vulnerabilities, we recommend you to check yoursystem for vulnerable packages on your own with third-party software. Here we use MaxPatrol 8(Positive Technologies).How to fix:Note that you use this method at your own risk, and there is no guarantee that the system wouldnormally operate as you install updates. We hardly recommend you to create a backup copy beforeupdating. You can use this method only in case you can solve problems with xapi and other systemcomponents on your own.Detect vulnerable packages by any means, i.e.,with a security scanner or check versions with yum secureplagin. Here is an example hop to detect vulnerable packages and what measures to take. Let ussuppose, that you’ve detected that the following packages are vulnerable: package 1 package 2 package 3 Then, you should activate yum repository to update the packages.Edit strings enabled in/etc/yum.repos.d/CentOS-Base.repo file:[base]name CentOS- releasever - Basemirrorlist http://mirrorlist.centos.org/?release releasever&arch basearch&repo os#baseurl http://mirror.centos.org/centos/ releasever/os/ basearch/gpgcheck 1gpgkey e kernel-xen*, *xen*enabled 1#released updates[updates]name CentOS- releasever - Updatesmirrorlist http://mirrorlist.centos.org/?release releasever&arch basearch&repo updatesCITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 8 of 21
#baseurl http://mirror.centos.org/centos/ releasever/updates/ basearch/gpgcheck 1gpgkey e kernel-xen*, *xen*enabled 1While updating, you have to disable Citrix repository in /etc/yum.repos.d/Citrix.repo file:enabled 0Then, update vulnerable packages via yum tool:yum update package 1 package 2 package 3 1.14Store password historyYou should store several password hashes to prevent passwords to be used again in a short period oftime. The recommended value is 10.Note. In case administrator (root) changes a user password, the hash is not stored in password historyfile.How to fix:Do the following commands:touch /etc/security/opasswdchmod 600 /etc/security/opasswdchown root:root /etc/security/opasswdThen, add the following string into /etc/pam.d/system-auth filepassword1.15requiredpam unix.soremember 10Configure unsuccessful login attempts logging and limit additional attemptsWe recommend you to use additional logging for unsuccessful login attempts. You should also block anaccount for a certain period in case of an authentication error. To configure the system use PAM moduleconfiguration settings.How to fix:Edit /etc/pam.d/system-auth file. We recommend to enable pam tally module to make it harderfor attackers to conduct brute force attacks. With the settings shown below, it blocks users for 300seconds if there are three unsuccessful login attempts:authrequiredpam env.soCITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 9 of 21
authrequiredeven deny root accountauthsufficientauthrequiredpam tally.so deny 3 unlock time 300pam unix.so try first pass nullokpam deny.soaccountrequiredpam unix.soaccountrequiredpam tally.sopasswordrequiredpam cracklib.so try first pass retry 3passwordsufficientpam unix.so try first pass use authtoknullok md5 shadowpasswordrequired pam unix.soremember 10passwordrequiredpam deny.sosessionsessionsessioncrond quietsession1.16optionalpam keyinit.so revokerequiredpam limits.so[success 1 default ignore] pam succeed if.so service inuse uidrequiredpam unix.soPassword policy configurationUsers should use passwords of at least 9 characters. We recommend you to limit maximum passwordage (90 days) to decrease the negative effect in case the system is compromised. We also recommendyou to notify users 14 days earlier the day the password is expired. If a user does not change itspassword in 7 days, you should block the account.How to fix:Execute the following command for every user in the system except administrator:chage -m 7 имя пользователя Edit the following strings in /etc/login.defs file to configure the password policy:PASS MAX DAYS 90PASS MIN DAYS 7PASS WARN AGE 14PASS MIN LEN 9CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 10 of 21
2.SYSTEM NETWORK CONFIGURATIONThe shown below settings are an abstract example. You should remember your own networkarchitecture and server hardware to use these recommendations.Separate network interfaces by taskC3NIVM2NIC-VMVMXenServerSMAPIXAPIWe recommend you to protect networks for management, data transferring and virtual machines toprovide maximum security. In that way, you can prevent system compromising in case an attackermanages to crack one of the networks. Pic. 1 shows this solution.Citrix-1ManagementNetworkNIC2.1Storage NetworkExternal NetworkPic. 1. Logic scheme that shows how to separate hypervisor networksHow to fix:It there are several network interfaces, separate them physically and logically. It you unable to separatethe networks, we recommend you to separate them on IP level or in any way.Managing interface configuration:Show UUID PIF according to eth0 (NIC0) device and its network UUID:xe pif-list device eth0 params uuid,network-uuidCITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 11 of 21
Modify the network name:xe network-param-set uuid network uuid name-label "Management NW"Data transferring interface configuration:Show UUID PIF according to eth1 (NIC1) device and its network UUID:xe pif-list device eth1 params uuid,network-uuidConfigure network IP address:# xe pif-reconfigure-ip uuid pif uuid mode static IP ip \gateway gateway netmask netmask DNS DNS Modify the network name:xe network-param-set uuid network uuid name-label "Storage NW"Virtual machine nterface configurationShow UUID PIF according to eth2 (NIC2) device and its network UUID:xe pif-list device eth2 params uuid,network-uuidConfigure a guest network in case there is no IP address:xe pif-reconfigure-ip uuid uuid mode noneModify the network name:xe network-param-set uuid network uuid name-label "Guest NW 0"Do the operations for eth3, eth4 and so on.2.2Restrict unencrypted connections to XAPIBy default, XAPI stack listen ports 80 (unencrypted channel) and 443 (SSL tunnel) for connection. Ifunencrypted data are used, an attacker can compromise administrator’s operations. We recommendyou to disable access by port 80 for all clients except XenCenter working station.How to fix:Execute the following command:/etc/init.d/iptables saveEdit /etc/sysconfig/iptables file:-A RH-Firewall-1-INPUT –s xen center ip -p tcp -m state --state NEW m tcp --dport 80 -j ACCEPTCITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 12 of 21
Execute the following command:/etc/init.d/iptables restart2.3Use encrypted connections in data transferring networkIf you move virtual machines, data is transferring between servers (for example, in XenMotion mode) inplain text. It means that data is transferred unencrypted. In spite the fact that networks are separated,you should protect this traffic. We recommend you to use encryption on IP level, such as VPN. There isno example because of a great variety of possible solutions.Configure encryption for iSCSI password transferring:OpenISCSI software is used to connect to remote iSCSI storage for iSCSI traffic. This software supportsCHAP protocol to send passwords. We recommend you to use CHAP authentication for OpenlSCSIconnections.How to fix:Set the following setting for the variable in /etc/iscsi/iscsid.conf file.# To enable CHAP authentication set node.session.auth.authmethod# to CHAP. The default is None.node.session.auth.authmethod CHAP2.4Configure umask creation for VHD filesBy default, Citrix XenServer creates virtual machine files with read privileges for “other”. Therefore,every user has rights to get virtual machine data. We recommend you to limit privileges for these filetypes.How to fix:You should modify server scripts to modify umask settings.Edit /opt/xensource/sm/FileSR.py file:def create(self, sr uuid, vdi uuid, size):os.umask(077)if util.ioretry(lambda: util.pathexists(self.path)):Then, you can need to compile file pyc and pyo. Create /opt/xensource/sm/compile.py file with thefollowing content:#!/usr/bin/pythonimport py compilepy , execute the following commands:CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 13 of 21
python /opt/xensource/sm/compile.pypython –O /opt/xensource/sm/compile.pyand reboot the hypervisor with the following command:shutdown –r now2.5Remote NFS storage configurationEvery remote NFS storage is a folder with a file in VHD format. VHD is not encrypted, therefore werecommend you strictly limit the list of users that are allowed to mount the folder.How to fix:We recommend you to modify system settings to operate with remote NFS storage. Below we showhow to configure NFS storage on Linux remote server. Ensure that single IP address is locked in/etc/exports file:/ vm share dir xenserver ip (rw,root squash,anonuid xen user UID ,anongid xen userGID ,sync)Discover the folder owner:chown xen user : xen user group vm share dir Configure mountd, statd, lockd and rquotad demons to operate with static ports (ports 4002-4006 areused as an example) in /etc/sysconfig/nfs file:MOUNTD PORT ”4002”STATD PORT ”4003”LOCKD TCPPORT ”4004”LOCKD UDPPORT ”4004”RQUOTAD PORT ”4005”STATD OUTGOING PORT ”4006”Add the following strings into INPUT table for /etc/sysconfig/iptables network NPUTINPUT–s–s–s–s–s–s xenserver-ip xenserver-ip xenserver-ip xenserver-ip xenserver-ip xenserver-ip CITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING t–dport–dport–dport–dport111 –j ACCEPT111 –j ACCEPT4002:4006 –j ACCEPT4002:4006 –j ACCEPT2049 –j ACCEPT2049 –j ACCEPTPage 14 of 21
2.6Disable promiscuous mode for network cards on virtual machinesIf promiscuous mode is enabled for simulated network interface, a virtual machine is able to intercepttraffic from other guest systems, and also use other specific features including a possibility to sendmalformed or malicious requests accidentally or deliberately Therefore, we do not recommend you toenable this mode.How to fix:Execute the following commands in Service Console to disable VIF or promiscuous mode:xe pif-param-set uuid PIF UUID other-config:promiscuous "off"or:xe pif-param-set uuid PIF UUID other-config:promiscuous "false"2.7OS kernel network settings configurationThe following OS kernel settings are necessary to harden Citrix XenServer network attack tolerance:net.ipv4.tcp max syn backlog 4096net.ipv4.tcp syncookies 1net.ipv4.conf.all.rp filter 1net.ipv4.conf.all.accept source route 0net.ipv4.conf.all.accept redirects 0net.ipv4.conf.all.secure redirects 0net.ipv4.conf.default.rp filter 1net.ipv4.conf.default.accept source route 0net.ipv4.conf.default.accept redirects 0net.ipv4.conf.default.secure redirects 0net.ipv4.icmp echo ignore broadcasts 1How to fix:Add the settings into /etc/sysctl.conf file, reboot the system and execute the following command:sysctl -p2.8Firewall configurationDefault Citrix XenServer installation includes Netfilter firewall and iptables command line utility used tomanage it. We recommend you to configure this software to provide secure network communication.How to fix:Use the following settings for managing network:service iptables startiptables -Fiptables -Xiptables -P INPUT ACCEPTiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPTCITRIX XENSERVER FREE/ADVANCED 5.6 HARDENING GUIDEPage 15 of 21
tablesiptablesiptables-A-A-A-A-A-A-A-A-AINPUT -i xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPTINPUT -i xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPTINPUT -i xenbr0 -j DROPOUTPUT -o xenbr0 -p tcp --dport 443 -m state --state NEW -j ACCEPTOUTPUT -o xenbr0 -p tcp --dport 7279 -m state --state NEW -j ACCEPTOUTPUT -o xenbr0 -p tcp --dport 27000 -m state --state NEW -j ACCEPTOUTPUT -o xenbr0 -p udp --dport 123 -m state --state NEW -j ACCEPTOUTPUT -o xenbr0 -m state --state RELATED,ESTABLISHED -j ACCEPTOUTPUT -o xenbr0 -j DROPInput chain for data transferring network:iptables -A INPUT -i xenbr1 -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A INPUT -i xenbr1 -j DROPAdd the following perm
Citrix XenServer is based on RedHat Linux, therefore it also supports single user mode. You can activate it via loader settings. Default settings allow all users to access console with root privileges. This allows attackers with access to Citrix XenServer local console get root privileges and execute arbitrary commands on the vulnerable server.
