Hardening your WebADM Server
  Download PDF

1. Overview

Hardening is the process of securing a system by reducing its surface of vulnerability. We will show you how to reduce available ways of attack this includes enabling FIPS mode, changing the default password, encrypting configuration passwords, limiting SSL Protocols and Ciphersuites, replacing Certificates, setting a bootloader password, disable root access with SSH root, securing the MySQL/MariaDB Databases, setting Firewall rules and resetting RCDevs Virtual Appliance root password… Please consider carefully which of these settings are relevant for your use. We also recommend you keep your WebADM and OS up to date with the latest versions.

2. Boot Loader GRUB2 Password

To protect GRUB2 with a password, run the following command grub2-setpassword and type in your new boot loader password.

-bash-4.2# grub2-setpassword
Enter password: 
Confirm password:
-bash-4.2#

Now, update your GRUB2 configuration with the grub2-mkconfig -o /boot/grub2/grub.cfgcommand.

-bash-4.2# grub2-mkconfig -o /boot/grub2/grub.cfg 
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-957.1.3.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-957.1.3.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-098bdb88d4db43fa8bbb00d5f2b63b3c
Found initrd image: /boot/initramfs-0-rescue-098bdb88d4db43fa8bbb00d5f2b63b3c.img
done
-bash-4.2#

Reboot your RCDevs Virtual Appliance CentOS 7 and enter the GRUB2 boot menu. The boot loader will ask for your password if one tries to modify the kernel arguments.

3. Encrypting Configuration Passwords

This feature requires an Enterprise License and the encryption mechanism is bound to secret data in your encoded license file. Replace the cleartext passwords and keys with encrypted values in /opt/webadm/conf/webadm.conf and /opt/webadm/conf/servers.xml. Please follow this doc RCDevs Utilities and Command Line Tools for WebADM.

4. FIPS Mode

To enable FIPS mode for RCDevs Virtual Appliance CentOS 7 do the following steps:

Please add the value fips=1 to GRUB_CMDLINE_LINUX into the default GRUB file /etc/default/grub.

-bash-4.2# vi /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto fips=1 rd.lvm.lv=cl_rcvm7/root rd.lvm.lv=cl_rcvm7/swap rhgb quiet"
GRUB_DISABLE_RECOVERY="true"

Run the following command grub2-mkconfig -o /etc/grub2.cfg to update your GRUB configuration file and reboot.

-bash-4.2# grub2-mkconfig -o /etc/grub2.cfg
-bash-4.2# reboot

After rebooting, check with cat /proc/sys/crypto/fips_enabled if FIPS mode is enabled on the system.

-bash-4.2# cat /proc/sys/crypto/fips_enabled
1

For more information about FIPS, check out the official documentation at https://www.nist.gov/itl/itl-publications/federal-information-processing-standards-fips.

5. Firewall Rules

Please have a look at the RCDevs Communication Ports. It describes the ports and protocols used by RCDevs products between different components.

5.1 Firewalld CentOS 7

Firewalld is a firewall management tool, acting as a front-end for the Linux kernel’s netfilter framework via the iptables command, acting as an alternative to the iptables service.

Verify if the firewalld service is running with the command firewall-cmd --state or systemctl status firewalld.

-bash-4.2# firewall-cmd --state
running
-bash-4.2# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-01-08 16:10:15 CET; 15min ago
     Docs: man:firewalld(1)
 Main PID: 5611 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─5611 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Jan 08 16:10:14 rcvm7.local systemd[1]: Starting firewalld - dynamic firewall daemon...
Jan 08 16:10:15 rcvm7.local systemd[1]: Started firewalld - dynamic firewall daemon.

If the firewalld service is inactive then start it with systemctl start firewalld.

-bash-4.2# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Tue 2019-01-08 16:46:54 CET; 2s ago
     Docs: man:firewalld(1)
  Process: 5611 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 5611 (code=exited, status=0/SUCCESS)

Jan 08 16:10:14 rcvm7.local systemd[1]: Starting firewalld - dynamic firewall daemon...
Jan 08 16:10:15 rcvm7.local systemd[1]: Started firewalld - dynamic firewall daemon.
Jan 08 16:46:54 rcvm7.local systemd[1]: Stopping firewalld - dynamic firewall daemon...
Jan 08 16:46:54 rcvm7.local systemd[1]: Stopped firewalld - dynamic firewall daemon.
-bash-4.2# systemctl start firewalld
-bash-4.2# 

If the firewalld service has been disabled then enable it with systemctl enable firewalld and reboot.

-bash-4.2# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
-bash-4.2# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
-bash-4.2# reboot

To check the firewall rules, run the following command firewall-cmd --list-all.

-bash-4.2# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources: 
  services: http dhcpv6-client ldaps radius ssh https ldap
  ports: 4000/tcp 10389/tcp 8080/tcp 8443/tcp 10636/tcp 5000/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
-bash-4.2# 

For example to remove http then use this command firewall-cmd --zone=public --remove-service=http --permanent and firewall-cmd --reload.

-bash-4.2# firewall-cmd --zone=public --remove-service=http --permanent
success
-bash-4.2# firewall-cmd --reload
success
-bash-4.2# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources: 
  services: dhcpv6-client ldaps radius ssh https ldap
  ports: 4000/tcp 10389/tcp 8080/tcp 8443/tcp 10636/tcp 5000/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
-bash-4.2#

To add http to the firewall rules run the following command firewall-cmd --zone=public --add-service=http --permanent.

-bash-4.2# firewall-cmd --zone=public --add-service=http --permanent
success
-bash-4.2# firewall-cmd --reload
success
-bash-4.2# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources: 
  services: dhcpv6-client ldaps radius ssh https ldap http
  ports: 4000/tcp 10389/tcp 8080/tcp 8443/tcp 10636/tcp 5000/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
-bash-4.2# 

To add a port like 8834/tcp to the firewall rules run the following command firewall-cmd --zone=public --add-port=8834/tcp --permanent.

-bash-4.2# firewall-cmd --zone=public --add-port=8834/tcp --permanent
success
-bash-4.2# firewall-cmd --reload
success
-bash-4.2# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens32
  sources: 
  services: dhcpv6-client ldaps radius ssh https ldap http
  ports: 4000/tcp 10389/tcp 8080/tcp 8443/tcp 10636/tcp 5000/tcp 8834/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
-bash-4.2# 

For more information about the firewalld, check out the official documentation at https://firewalld.org/documentation/.

5.2 Iptables CentOS 7

Please disabled firewalld service before installing iptables then install iptables services on CentOS 7:

-bash-4.2# systemctl disable firewalld
-bash-4.2# yum install iptables-services

Verify if the iptables service is running with the command systemctl status iptables.

-bash-4.2# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Wed 2019-01-09 10:24:25 CET; 3min 50s ago
  Process: 5560 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 5560 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/iptables.service

Jan 09 10:24:25 rcvm7.local systemd[1]: Starting IPv4 firewall with iptables...
Jan 09 10:24:25 rcvm7.local iptables.init[5560]: iptables: Applying firewall rules: [  OK  ]
Jan 09 10:24:25 rcvm7.local systemd[1]: Started IPv4 firewall with iptables.
-bash-4.2# 

If the iptables service is inactive then start it with systemctl start iptables.

-bash-4.2# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Wed 2019-01-09 10:28:55 CET; 1s ago
  Process: 6928 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
  Process: 5560 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 5560 (code=exited, status=0/SUCCESS)

Jan 09 10:24:25 rcvm7.local systemd[1]: Starting IPv4 firewall with iptables...
Jan 09 10:24:25 rcvm7.local iptables.init[5560]: iptables: Applying firewall rules: [  OK  ]
Jan 09 10:24:25 rcvm7.local systemd[1]: Started IPv4 firewall with iptables.
Jan 09 10:28:55 rcvm7.local systemd[1]: Stopping IPv4 firewall with iptables...
Jan 09 10:28:55 rcvm7.local iptables.init[6928]: iptables: Setting chains to policy ACCEPT: filter [  OK  ]
Jan 09 10:28:55 rcvm7.local iptables.init[6928]: iptables: Flushing firewall rules: [  OK  ]
Jan 09 10:28:55 rcvm7.local iptables.init[6928]: iptables: Unloading modules: [  OK  ]
Jan 09 10:28:55 rcvm7.local systemd[1]: Stopped IPv4 firewall with iptables.
-bash-4.2# systemctl start iptables
-bash-4.2#

If the iptables service has been disabled then enable it with systemctl enable iptables and reboot.

-bash-4.2# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead) since Wed 2019-01-09 10:31:43 CET; 1s ago
  Process: 7173 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
 Main PID: 7035 (code=exited, status=0/SUCCESS)

Jan 09 10:30:05 rcvm7.local systemd[1]: Starting IPv4 firewall with iptables...
Jan 09 10:30:05 rcvm7.local iptables.init[7035]: iptables: Applying firewall rules: [  OK  ]
Jan 09 10:30:05 rcvm7.local systemd[1]: Started IPv4 firewall with iptables.
Jan 09 10:31:43 rcvm7.local systemd[1]: Stopping IPv4 firewall with iptables...
Jan 09 10:31:43 rcvm7.local iptables.init[7173]: iptables: Setting chains to policy ACCEPT: filter [  OK  ]
Jan 09 10:31:43 rcvm7.local iptables.init[7173]: iptables: Flushing firewall rules: [  OK  ]
Jan 09 10:31:43 rcvm7.local iptables.init[7173]: iptables: Unloading modules: [  OK  ]
Jan 09 10:31:43 rcvm7.local systemd[1]: Stopped IPv4 firewall with iptables.
-bash-4.2# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
-bash-4.2# 

Verify your firewall rules with the following command iptables -nvL.

-bash-4.2# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

In this case, the firewall is wide open. To close the INPUT/FORWARD/OUTPUT chain, use the following commands:

-bash-4.2# iptables -P INPUT DROP
-bash-4.2# iptables -P FORWARD DROP
-bash-4.2# iptables -P OUTPUT DROP
-bash-4.2# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Now, the firewall is completely closed. For example, to allow incoming SSH and WebADM, outgoing PUSH connections and disabled IPv6:

-bash-4.2# vi flock 
#!/bin/bash

MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
SYSCTL="/sbin/sysctl"

$MODPROBE nf_conntrack
$SYSCTL -w net.ipv4.tcp_syncookies=1
$SYSCTL -w net.ipv4.icmp_echo_ignore_broadcasts=1
$SYSCTL -w net.ipv4.conf.all.rp_filter=1
$SYSCTL -w net.ipv4.conf.all.accept_source_route=0

$SYSCTL -w net.ipv6.conf.all.disable_ipv6=1
$SYSCTL -w net.ipv6.conf.default.disable_ipv6=1

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F

$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
$IP6TABLES -F

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 7000 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

-bash-4.2# chmod 700 flock
-bash-4.2# ./flock
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
-bash-4.2# iptables -nvL
Chain INPUT (policy DROP 97 packets, 22252 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  759  179K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    1    64 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 flags:0x17/0x02 state NEW
    6   384 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 flags:0x17/0x02 state NEW
  268 28813 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 18 packets, 1220 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  759  179K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
   30  1905 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 state NEW
    2   120 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7000 flags:0x17/0x02 state NEW
  205 89004 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED

Saving your firewall rules can be done as follows:

-bash-4.2# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

For more information about the iptables, check out the official documentation at https://netfilter.org/documentation/.

5.3 Iptables Ubuntu 18.04

Applying firewall rules on startup can be done as follows:

-bash-4.2# vi flock 
#!/bin/bash

MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
SYSCTL="/sbin/sysctl"

$MODPROBE nf_conntrack
$SYSCTL -w net.ipv4.tcp_syncookies=1
$SYSCTL -w net.ipv4.icmp_echo_ignore_broadcasts=1
$SYSCTL -w net.ipv4.conf.all.rp_filter=1
$SYSCTL -w net.ipv4.conf.all.accept_source_route=0

$SYSCTL -w net.ipv6.conf.all.disable_ipv6=1
$SYSCTL -w net.ipv6.conf.default.disable_ipv6=1

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F

$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
$IP6TABLES -F

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 7000 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

-bash-4.2# chmod 500 flock
-bash-4.2# cp flock /etc/network
-bash-4.2# vi flock-rules.service
[Unit]
Description=Apply firewall rules

[Service]
Type=oneshot
ExecStart=/etc/network/flock

[Install]
WantedBy=network-pre.target
-bash-4.2# chmod 600 flock-rules.service 
-bash-4.2# cp flock-rules.service /etc/systemd/system/flock-rules.service
-bash-4.2# systemctl daemon-reload
-bash-4.2# systemctl enable flock-rules.service
Created symlink /etc/systemd/system/network-pre.target.wants/flock-rules.service → /etc/systemd/system/flock-rules.service.
-bash-4.2# reboot

For more information about the iptables, check out the official documentation at https://netfilter.org/documentation/.

5.4 UFW Ubuntu 18.04

The default firewall configuration tool for Ubuntu is UFW (Uncomplicated Firewall). Verify if the UFW service is running with the command ufw status if it’s inactive then enable it with ufw enable.

-bash-4.2# ufw status
Status: inactive
-bash-4.2# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
-bash-4.2# 

To add ssh to the firewall rules run the following command ufw allow ssh and check the status with ufw status numbered.

-bash-4.2# ufw allow ssh
Rule added
Rule added (v6)
-bash-4.2# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

-bash-4.2# 

For example to remove a UFW rule do as follows:

-bash-4.2# ufw delete 2
Deleting:
 allow 22/tcp
Proceed with operation (y|n)? y
Rule deleted (v6)
-bash-4.2# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  

-bash-4.2# 

To add a port like 4000/tcp to the firewall rules run the following command ufw allow 4000/tcp.

-bash-4.2#  ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  

-bash-4.2#  ufw allow 4000/tcp
Rule added
Rule added (v6)
-bash-4.2#  ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 4000/tcp                   ALLOW IN    Anywhere                  
[ 3] 4000/tcp (v6)              ALLOW IN    Anywhere (v6)             

-bash-4.2#  ufw delete 3
Deleting:
 allow 4000/tcp
Proceed with operation (y|n)? y
Rule deleted (v6)
-bash-4.2#  ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 4000/tcp                   ALLOW IN    Anywhere                  

-bash-4.2# 

For more information about the UFW, check out the official documentation at https://wiki.ubuntu.com/UncomplicatedFirewall.

5.5 HA Cluster Firewall Rules

Here is an example of iptables firewall rules for a high availability cluster with 4 nodes. The WebADM Master (PKI Role) needs only incoming TCP 5000 port and the WebADM Slaves (PKI Clients) need only outgoing TCP 5000 port. Adjust the firewall rules to your needs.

For troubleshooting you might want to log the accepted and dropped packets with -j LOG --log-prefix "IPTables-Accepted-443-I: " --log-level 5. The option -m limit --limit 2/min will limit logging to 2 per minute. You can also set it to second, hour or day. Under Ubuntu 18.04 you will find the logs in the file tail -f /var/log/kern.log. Under CentOS 7.6 you will find the logs in the file tail -f /var/log/messages.

To limit, for example, the outgoing DNS request to one IP address then specify it with -d 8.8.8.8 for Google DNS. To limit an incoming SSH to one defined IP with -s 192.168.3.233 for example. IP source range from 192.168.3.80-192.168.3.83 can be defined with -m iprange --src-range 192.168.3.80-192.168.3.83 and destination range with -m iprange --dst-range 192.168.3.80-192.168.3.83.

Furthermore, hardening your TCP/IP Stack against SYN Floods with net.ipv4.tcp_syncookies=1. Ignores broadcast pings and reducing the damage of SMURF attacks with net.ipv4.icmp_echo_ignore_broadcasts=1. Prevent some spoofing attacks with net.ipv4.conf.all.rp_filter=1. Do not accept IP source route packets because we are not a router with net.ipv4.conf.all.accept_source_route=0.

-bash-4.2# vi flock 
#!/bin/bash

MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
SYSCTL="/sbin/sysctl"

$MODPROBE nf_conntrack
$SYSCTL -w net.ipv4.tcp_syncookies=1
$SYSCTL -w net.ipv4.icmp_echo_ignore_broadcasts=1
$SYSCTL -w net.ipv4.conf.all.rp_filter=1
$SYSCTL -w net.ipv4.conf.all.accept_source_route=0

$SYSCTL -w net.ipv6.conf.all.disable_ipv6=1
$SYSCTL -w net.ipv6.conf.default.disable_ipv6=1

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F

$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP
$IP6TABLES -F

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Log Accepted Packets
# SSH
$IPTABLES -A INPUT -p tcp --dport 22 -s 192.168.3.233 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-22-I: " --log-level 5
# WebADM httpd
#$IPTABLES -A INPUT -p tcp --dport 80 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-80-I: " --log-level 5
#$IPTABLES -A INPUT -p tcp --dport 8080 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-8080-I: " --log-level 5
$IPTABLES -A INPUT -p tcp --dport 443 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-443-I: " --log-level 5
$IPTABLES -A INPUT -p tcp --dport 8443 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-8443-I: " --log-level 5

# WebADM Session
$IPTABLES -A INPUT -p tcp --dport 4000 -m iprange --src-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-4000-I: " --log-level 5
# WebADM PKI
$IPTABLES -A INPUT -p tcp --dport 5000 -m iprange --src-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-5000-I: " --log-level 5
# LDAP
$IPTABLES -A INPUT -p tcp --dport 389 -m iprange --src-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW  -j LOG --log-prefix "IPTables-Accepted-389-I: " --log-level 5
#$IPTABLES -A INPUT -p tcp --dport 636 -m iprange --src-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW  -j LOG --log-prefix "IPTables-Accepted-636-I: " --log-level 5
# MYSQL
$IPTABLES -A INPUT -p tcp --dport 3306 -m iprange --src-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-3306-I: " --log-level 5

# DNS UDP
$IPTABLES -A OUTPUT -p udp --dport 53 -d 192.168.3.1 -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-53-O: " --log-level 5
# NTP UDP
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-123-O: " --log-level 5

# SSH
$IPTABLES -A OUTPUT -p tcp --dport 22 -m iprange --dst-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-22-O: " --log-level 5
# Mail SMTP Server
$IPTABLES -A OUTPUT -p tcp --dport 25 -d 78.141.172.203 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-25-O: " --log-level 5
# WebADM httpd
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-80-O: " --log-level 5
#$IPTABLES -A OUTPUT -p tcp --dport 8080 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-8080-O: " --log-level 5
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-443-O: " --log-level 5
#$IPTABLES -A OUTPUT -p tcp --dport 8443 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-8443-O: " --log-level 5
# WebADM Session
$IPTABLES -A OUTPUT -p tcp --dport 4000 -m iprange --dst-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-4000-O: " --log-level 5
# WebADM PKI
#$IPTABLES -A OUTPUT -p tcp --dport 5000 -m iprange --dst-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-5000-O: " --log-level 5
# LDAP
$IPTABLES -A OUTPUT -p tcp --dport 389 -m iprange --dst-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-389-O: " --log-level 5
#$IPTABLES -A OUTPUT -p tcp --dport 636 -m iprange --dst-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-636-O: " --log-level 5
# MYSQL
$IPTABLES -A OUTPUT -p tcp --dport 3306 -m iprange --dst-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-3306-O: " --log-level 5
# PUSH Server
$IPTABLES -A OUTPUT -p tcp --dport 7000 -d 91.134.128.157 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-7000-O: " --log-level 5
# License Server
$IPTABLES -A OUTPUT -p tcp --dport 7001 -d 91.134.128.157 --syn -m state --state NEW -j LOG --log-prefix "IPTables-Accepted-7001-O: " --log-level 5


# SSH
$IPTABLES -A INPUT -p tcp --dport 22 -s 192.168.3.233 --syn -m state --state NEW -j ACCEPT
# WebADM httpd
#$IPTABLES -A INPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 8080 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 8443 --syn -m state --state NEW -j ACCEPT

# WebADM Session
$IPTABLES -A INPUT -p tcp --dport 4000 -m iprange --src-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j ACCEPT
# WebADM PKI
$IPTABLES -A INPUT -p tcp --dport 5000 -m iprange --src-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j ACCEPT
# LDAP
$IPTABLES -A INPUT -p tcp --dport 389 -m iprange --src-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 636 -m iprange --src-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j ACCEPT
# MYSQL
$IPTABLES -A INPUT -p tcp --dport 3306 -m iprange --src-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j ACCEPT


# DNS UDP
$IPTABLES -A OUTPUT -p udp --dport 53 -d 192.168.3.1 -m state --state NEW -j ACCEPT
# NTP UDP
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

# SSH
$IPTABLES -A OUTPUT -p tcp --dport 22 -m iprange --dst-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j ACCEPT
# Mail SMTP Server
$IPTABLES -A OUTPUT -p tcp --dport 25 -d 78.141.172.203 --syn -m state --state NEW -j ACCEPT
# WebADM httpd
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 8080 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 8443 --syn -m state --state NEW -j ACCEPT
# WebADM Session
$IPTABLES -A OUTPUT -p tcp --dport 4000 -m iprange --dst-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j ACCEPT
# WebADM PKI
#$IPTABLES -A OUTPUT -p tcp --dport 5000 -m iprange --dst-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j ACCEPT
# LDAP
$IPTABLES -A OUTPUT -p tcp --dport 389 -m iprange --dst-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --dport 636 -m iprange --dst-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j ACCEPT
# MYSQL
$IPTABLES -A OUTPUT -p tcp --dport 3306 -m iprange --dst-range 192.168.3.80-192.168.3.83 --syn -m state --state NEW -j ACCEPT
# PUSH Server
$IPTABLES -A OUTPUT -p tcp --dport 7000 -d 91.134.128.157 --syn -m state --state NEW -j ACCEPT
# License Server
$IPTABLES -A OUTPUT -p tcp --dport 7001 -d 91.134.128.157 --syn -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED -j ACCEPT


# Log Dropped Packets
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
#$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP

-bash-4.2# chmod 700 flock
-bash-4.2# ./flock
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
-bash-4.2# iptables -nvL

For more information about the iptables, check out the official documentation at https://netfilter.org/documentation/.

6. PKI Server

WebADM includes its own PKI system for issuing user certificates. The default password/secret on the RCDevs Virtual Appliance for the PKI server is secret. Please, change it by editing the following configuration files /opt/webadm/conf/rsignd.conf and /opt/webadm/conf/servers.xml. Afterwards, restart WebADM with the /opt/webadm/bin/webadm restart command.

-bash-4.2#  vi /opt/webadm/conf/rsignd.conf
#
# WebADM PKI Server Configuration
#
...
#
# Client sections
#
# Declare here the Rsign clients with IP addresses or hostnames.
# In cluster mode, the client WebADM server(s) must be defined here!

client {
 hostname localhost
 secret secret
}

-bash-4.2#  vi /opt/webadm/conf/servers.xml
<?xml version="1.0" encoding="UTF-8" ?>

<Servers>

<!--
******************************************
***  WebADM Remote Server Connections  ***
******************************************
...

<!--
A PKI server (or CA) is required for signing user certificates.
The RSign PKI server is included in WebADM. So you can keep the
default settings here.
-->

<PkiServer name="PKI Server"
	host="192.168.3.80"
	port="5000"
	secret="secret"
	ca_file="" />
	
-bash-4.2# /opt/webadm/bin/webadm restart

7. RADIUS Client

If you are using RADIUS, please remove the default client definition which allows every client by default. You should also use strong passwords as RADIUS secrets.

-bash-4.2# vi /opt/radiusd/conf/clients.conf
#  Define RADIUS clients (usually a NAS, Access Point, etc.).
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.

#client localhost {
	#  Only *one* of ipaddr, ipv4addr, ipv6addr may be specified for
	#  a client.
	#
	#  ipaddr will accept IPv4 or IPv6 addresses with optional CIDR
	#  notation '/<mask>' to specify ranges.
	#
	#  ipaddr will accept domain names e.g. example.org resolving
	#  them via DNS.
	#
	#  If both A and AAAA records are found, A records will be
	#  used in preference to AAAA.
	#ipaddr = 127.0.0.1

	#  Same as ipaddr but allows v4 addresses only. Requires A
	#  record for domain names.
	#ipv4addr = *	# any.  127.0.0.1 == localhost

	#  Same as ipaddr but allows v6 addresses only. Requires AAAA
	#  record for domain names.
	#ipv6addr = ::	# any.  ::1 == localhost

	#  The shared secret use to "encrypt" and "sign" packets between
	#  the NAS and FreeRADIUS.  You MUST change this secret from the
	#  default, otherwise it's not a secret any more!
	#
	#  The secret can be any string, up to 8k characters in length.
	#
	#  Control codes can be entered vi octal encoding,
	#	e.g. "\101\102" == "AB"
	#  Quotation marks can be entered by escaping them,
	#	e.g. "foo\"bar"
	#
	#  A note on security:  The security of the RADIUS protocol
	#  depends COMPLETELY on this secret!  We recommend using a
	#  shared secret that is composed of:
	#
	#	upper case letters
	#	lower case letters
	#	numbers
	#
	#  And is at LEAST 8 characters long, preferably 16 characters in
	#  length.  The secret MUST be random, and should not be words,
	#  phrase, or anything else that is recognisable.
	#
	#  The default secret below is only for testing, and should
	#  not be used in any real environment.
	#
	#secret = testing123

	#  Old-style clients do not send a Message-Authenticator
	#  in an Access-Request.  RFC 5080 suggests that all clients
	#  SHOULD include it in an Access-Request.  The configuration
	#  item below allows the server to require it.  If a client
	#  is required to include a Message-Authenticator and it does
	#  not, then the packet will be silently discarded.
	#
	#  allowed values: yes, no
	#require_message_authenticator = no

	#
	#  The short name is used as an alias for the fully qualified
	#  domain name, or the IP address.
	#
	#  It is accepted for compatibility with 1.x, but it is no
	#  longer necessary in >= 2.0
	#
	#shortname = localhost
#}

# IPv6 Client
#client localhost_ipv6 {
#	ipv6addr	= ::1
#	secret		= testing123
#}

# DNS client
#client example.org {
#	ipaddr		= radius.example.org
#	secret		= testing123
#}

# Default client (Radius Bridge allows any client to connect)
client any {
        ipaddr = *
        secret = testing123
}

Therefore, you need to set the IP address of your RADIUS client and the shared RADIUS secret. On the VPN side, you will configure a RADIUS server with its IP address (ie. the RB server IP address), and you will set the same secret.

# Default client (Radius Bridge allows any client to connect)
client any {
        ipaddr = 192.168.0.10
        secret = testing123
}

8. RCDevs Directory Server

On the RCDevs Virtual Appliance, the default password for the RCDevs Directory Server (sldap) is password. To change the default password log into the WebADM GUI. Select the Super Administrator, in this case, it’s admin, and click on Change password.

screenshot screenshot screenshot screenshot

Finally, log out and log in with the new LDAP Administrator password.

9. Reset Root Password RCDevs-VM

If you have changed and forgotten the root password of your RCDevs Virtual Appliance then follow theses steps:

9.1 RCDevs-VM CentOS 6

Boot your RCDevs Virtual Appliance CentOS 6 machine. Press any key to enter the GRUB boot menu. From the GRUB menu, press the a key to modify the kernel arguments before booting. screenshot Add the following parameters single at the end of ro root=/dev/sda1... the line. Press ENTER to boot the system with the new argument. screenshot After reboot, type the following command into the terminal to change the root password: passwd. Afterward, reboot the RCDevs Virtual Appliance.

Now, you can login as root with your new password.

9.2 RCDevs-VM CentOS 7

Boot your RCDevs Virtual Appliance CentOS 7 machine. From the GRUB menu, select the appropriate kernel version and press the e key. screenshot Add the following parameters rd.break enforcing=0 at the end of the linux16... line. Scroll down to find to this line. Use Ctrl-x to boot the system with the new arguments. screenshot After reboot, type the following commands into the terminal to change the root password:

switch_root:/# mount -o remount,rw /sysroot
switch_root:/# chroot /sysroot
sh-4.2# passwd
sh-4.2# exit
switch_root:/# reboot

screenshot Now, you can log in as root with your new password. screenshot

10. Secure MySQL/MariaDB Databases

After having installed MySQL/MariaDB, please run the script called mysql_secure_installation. It will ask you to change the root password, remove the ability for anyone to log into MySQL by default, disable logging in remotely with the administrator account and remove some test databases that are insecure.

-bash-4.2# mysql_secure_installation 

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

You already have a root password set, so you can safely answer 'n'.

Change the root password? [Y/n] 
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] 
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] 
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] 
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] 
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
-bash-4.2#

11. SSH Access

To disable root SSH access, edit the following file /etc/ssh/sshd_config. Then add/edit the following line: PermitRootLogin no. To force SSH to allow only users to log in with public key authentication. Then add/edit the following line: PasswordAuthentication no. Limit the ciphers and Message Authentication Codes (MACs) to those algorithms which are FIPS-approved. Counter (CTR) mode is also preferred over cipher-block chaining (CBC) mode. Therefore, add/edit the following line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc and Macs hmac-sha1,hmac-sha2-256,hmac-sha2-512.

-bash-4.2# vi /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
...
# Ciphers and keying
#RekeyLimit default none
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Macs hmac-sha1,hmac-sha2-256,hmac-sha2-512
...

Afterward, don’t forget to restart the SSHD service with the following command systemctl restart sshd or simply reboot your OS.

12. Trusted SSL/TLS Certificates

You can use your own SSL certificates instead of the pre-generated ones. Please follow this doc RCDevs Trusted Certificate.

13. SSL/TLS Ciphersuite

In default configuration different SSL/TLS version and ciphers are supported to maintain compatibility with older clients. You can enable/disable them further by using configuration settings in /opt/webadm/conf/webadm.env (if this file doesn’t exist in your environment, please create it).

The ciphers kept in the last version of WebADM are the following and SSLv2, SSLv3 are disabled:

-bash-4.2# vi /opt/webadm/conf/webadm.env
SSL_PROTOCOL="ALL -SSLv2 -SSLv3"
SSL_CIPHERSUITE="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:\
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:\
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:\
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:\
ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:\
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:\
DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:\
AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

Edit the configuration and restart webadm for the changes to take effect. You can find further details on the configuration options from Apache documentation. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

If you need more information about recommended SSL/TLS ciphers then have a look at https://wiki.mozilla.org/Security/Server_Side_TLS.

After your changes, you can use NMAP tool to check which SSL/TLS versions and Ciphers are allowed.

nmap --script +ssl-enum-ciphers webadm_ip
[root@webadm1 ~]# nmap --script +ssl-enum-ciphers localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-15 16:18 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000030s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 991 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
| ssl-enum-ciphers: 
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors: 
|       NULL
|_  least strength: strong
1812/tcp open  radius
4000/tcp open  remoteanything
5000/tcp open  upnp
| ssl-enum-ciphers: 
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors: 
|       NULL
|_  least strength: strong
8080/tcp open  http-proxy
8443/tcp open  https-alt
| ssl-enum-ciphers: 
|   SSLv3: No supported ciphers found
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors: 
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 32.60 seconds

14. WebADM Access

Using certificates is the most secure login method. To use certificate login, you must log into WebADM and create a login certificate for your administrators.

screenshot screenshot screenshot

Download your Certificate and import it into your Browser. Afterward, edit the WebADM configuration file /opt/webadm/conf/webadm.conf and change admin_auth UID to admin_auth PKI and #manager_auth UID to manager_auth PKI.

-bash-4.2# vi /opt/webadm/conf/webadm.conf

#
# WebADM Server Configuration
#

# Administrator Portal's authentication method.
# - PKI: Requires client certificate and login password.
# - UID: Requires domain name, login name and password.
# - DN: Requires login DN and password.
# - OTP: Like UID with an OTP challenge.
# - U2F: Like UID with a FIDO-U2F challenge.
# - MFA: Like UID with both OTP and FIDO-U2F challenge.
# Using certificates is the most secure login method. To use certificate login,
# you must log in WebADM and create a login certificate for your administrators.
# The UID mode requires a WebADM domain to exist and have its User Search Base
# set to the subtree where are located the administrator users. When using UID
# and if there is no domain existing in WebADM, the login mode is automatically
# forced to DN. You will also need to log in with the full user DN and set up
# a WebADM domain to be able to use the UID login mode.
admin_auth PKI
# Show the registered domain list when admin_auth is set to UID, OTP or U2F.
# And set a default admin login domain when auth_mode is set to these methods.
list_domains Yes
#default_domain "Default"

# Manager API's authentication method. Only UID, PKI and DN are supported here.
# If you set the admin_auth with multi-factor (PKI, OTP or U2F), then you must
# either use manager_auth PKI or UID with a list of allowed client IPs.
manager_auth PKI
#manager_clients "192.168.0.10","192.168.0.11"

# User level changes the level of feature and configuration for all applications.
# WebADM proposes three levels: Beginner, Intermediate and Expert. The default
# level (Expert) is recommended as it provides access to all the RCDevs features.
user_level Expert

# If your LDAP directory is setup with a base DN (ex. dc=mydomain,dc=com on AD),
# you can optionally set the base_treebase suffix and omit the suffix in other
# LDAP configurartions like proxy_user, super_admins and containers.
#ldap_treebase "dc=mydomain,dc=com"

# The proxy user is used by WebADM for accessing LDAP objects over which the
# admin user does not have read permissions or out of an admin session.
# The proxy user should have read permissions on the whole LDAP tree,
# and write permissions on the users/groups used by the WebApps and WebSrvs.
# The use of a proxy user is required for WebApps and WebSrvs.
# With ActiveDirectory, you can use any Domain Administrator DN as a proxy user,
# which should look like cn=Administrator,cn=Users,dc=mydomain,dc=com.
proxy_user     "cn=webadm,dc=WebADM"
proxy_password "Password1234"

# Super administrators have extended WebADM privileges such as setup permissions,
# additional operations and unlimited access to any LDAP encrypted data. Access
# restriction configured in the WebADM OptionSets and AdminRoles do not apply to
# super admins. You can set a list of individual LDAP users or LDAP groups here.
# With ActiveDirectory, your administrator account should be is something like
# cn=Administrator,cn=Users,dc=mydomain,dc=com. And you can replace the sample
# super_admins group on the second line with an existing security group.
super_admins "cn=admin,o=root", \
             "cn=super_admins,dc=WebADM"

# LDAP objectclasses
container_oclasses      "container", "organizationalUnit", "organization", "domain", "locality", \
                        "country", "openldaprootdse", "treeroot"
# user_oclasses is used to build the LDAP search filter with 'Domain' auth_mode.
# If your super admin user user does not have one of the following objectclasses,
# add one of its objectclasses to the list.
user_oclasses           "user", "account", "person", "inetOrgPerson", "posixAccount"
group_oclasses          "group", "groupOfNames", "groupOfUniqueNames", "groupOfURLs", "posixGroup"
# With ActiveDirectory 2003 only, you need to add the 'user' objectclass to the
# webadm_account_oclasses and the 'group' objectclass to the webadm_group_oclasses.
webadm_account_oclasses "webadmAccount"
webadm_group_oclasses   "webadmGroup"
webadm_config_oclasses  "webadmConfig"

# LDAP attributes
certificate_attrs       "userCertificate"
password_attrs          "userPassword", "unicodePwd", "sambaNTPassword"
uid_attrs               "uid", "samAccountName", "userPrincipalName"
member_attrs            "member", "uniqueMember"
memberof_attrs          "memberOf", "groupMembership"
memberuid_attrs         "memberUid"
language_attrs          "preferredLanguage"
mobile_attrs            "mobile", "otherMobile"
mail_attrs              "mail", "otherMailbox"
webadm_data_attrs       "webadmData"
webadm_settings_attrs   "webadmSettings"
webadm_type_attrs       "webadmType"

# Find below the LDAP containers required by WebADM.
# Change the container's DN to fit your ldap tree base.
# WebADM AdminRoles container
adminroles_container "dc=AdminRoles,dc=WebADM"
# WebADM Optionsets container
optionsets_container "dc=OptionSets,dc=WebADM"
# WebApp configurations container
webapps_container "dc=WebApps,dc=WebADM"
# WebSrv configurations container
websrvs_container "dc=WebSrvs,dc=WebADM"
# Mount points container
mountpoints_container "dc=MountPoints,dc=WebADM"
# Domain and Trusts container
domains_container "dc=Domains,dc=WebADM"
# Clients container
clients_container "dc=Clients,dc=WebADM"

# With MS Active Directory use the following settings instead of the previous ones
# Note: Replace dc=mydomain,dc=com with your AD domain DN
#adminroles_container "cn=AdminRoles,cn=WebADM,dc=mydomain,dc=com"
#optionsets_container "cn=OptionSets,cn=WebADM,dc=mydomain,dc=com"
#webapps_container "cn=WebApps,cn=WebADM,dc=mydomain,dc=com"
#websrvs_container "cn=WebSrvs,cn=WebADM,dc=mydomain,dc=com"
#mountpoints_container "cn=Mountpoints,cn=WebADM,dc=mydomain,dc=com"
#domains_container "cn=Domains,cn=WebADM,dc=mydomain,dc=com"
#clients_container "cn=Clients,cn=WebADM,dc=mydomain,dc=com"

...

Now, restart WebADM with /opt/webadm/bin/webadm restart.

-bash-4.2# /opt/webadm/bin/webadm restart
Stopping WebADM HTTP server... Ok
Stopping WebADM Watchd server......... Ok
Stopping WebADM Session server... Ok
Checking libudev dependency... Ok
Checking system architecture... Ok
Checking server configurations... Ok

No Enterprise license found (using bundled Freeware license)
Please contact sales@rcdevs.com for commercial information

Starting WebADM Session server... Ok
Starting WebADM PKI server... Ok
Starting WebADM Watchd server... Ok
Starting WebADM HTTP server... Ok

Checking server connections. Please wait... 
Connected LDAP server: LDAP Server (127.0.0.1)
Connected SQL server: SQL Server (127.0.0.1)
Connected PKI server: PKI Server (127.0.0.1)
Connected Push server: Push Server (91.134.128.157)
Connected Session server: Session Server (::1)

Checking LDAP proxy user access... Ok
Checking SQL database access... Ok
Checking PKI service access... Ok
Checking Push service access... Ok
-bash-4.2# 

Finally, log into your WebADM.

15. WebADM Encryption Key

You can set several encryption keys for key rollout. All the defined keys are used for decrypting data. And the first defined key is used to (re-)encrypt data.

Use the command openssl rand -base64 32 to generate a new encryption key.

-bash-4.2# openssl rand -base64 32
1Lb6MB72/GOdIkbTEs1d6+nunsdv/LyXjoDDIYwy790=
-bash-4.2# 

Add this new key at first place and keep your old key (it’s needed for the re-encryption) as follows:

-bash-4.2# vi /opt/webadm/conf/webadm.conf
...
# WebADM encrypts LDAP user data, sensitive configurations and user sessions with
# AES-256. The encryption key(s) must be 256bit base64-encoded random binary data.
# Use the command 'openssl rand -base64 32' to generate a new encryption key.
# Warning: If you change the encryption key, any encrypted data will become invalid!
# You can set several encryption keys for key rollout. All the defined keys are used
# for decrypting data. And the first defined key is used to (re-)encrypt data.
# Two encryption modes are supported:
# Standard: AES-256-CBC (default)
# Advanced: AES-256-CBC with per-object encryption (stronger)
encrypt_data Yes
encrypt_mode Standard
encrypt_hsm  No
encrypt_key  "1Lb6MB72/GOdIkbTEs1d6+nunsdv/LyXjoDDIYwy790=","FzADk5PNYz+dl4JX+hYFiyVHQLBWnq2CXNJEy+Hpv9c="
...

Now you can re-encrypt the user data:

-bash-4.2# /opt/webadm/bin/encrypt -r default
This script will help you manage the WebADM user data encryption for the
LDAP users in the provided WebADM Domain(s). Using the script you can:
1) Review user data encryption.
2) Decrypt user data (-d option - not available with HSM encryption).
3) Encrypt user data (-e option).
4) Recrypt user data (-r option).
WebADM always uses the first configured encrypt_key to encrypt user data.
If you want to change the default encrypt_key then set the new key first.

Are you sure you want to update user data (y/n)? y
Entering Domain Default (o=root).
Re-encrypting user data for cn=test_user,o=Root... Ok

Updated 1 LDAP users in 0 seconds (0 errors).
-bash-4.2#