SME Cloud Appliance deployment best practices

1
Introduction
The Storage Made Easy EFSS Cloud Control Appliance is provided as an interoperable OVF file and can work with VMWARE, XEN, KVM, and Hyper-V hypervisors. It can also be installed on bare metal

The Cloud Control Appliance uses the Apache Web Server to server pages and the underlying Linux Operating Systems is CentOS. CentOS is hardened using NSA hardening guidelines. You can review these at:

http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

The Storage Made Easy Appliance can be setup as a company or ISP / MSP wishes. We provide a separate white paper for High Availability guidelines. This white paper suggests some best practice but ultimately the deployment best practices are the responsibility of the deployer and should be inline with their existing deployment practices for such systems.
2
Fail2Ban
The SME Appliance ships with a customized version of Fail2Ban (http://www.fail2ban.org/).

Fail2Ban scans logs file for malicious patterns ie. DoS attacks, too many password failures, SSH logins, seeking exploits, trying to scan for download links etc.

If the software detects such malicious patterns it automatically updates the firewall rules to reject IP addresses for a specified amount of time (10 minutes). This is constantly working and scanning and as such it is an extra protection for the appliance.

Fail2Ban can also be setup to help prevent DOS attacks. To do this simply edit /etc/fail2ban/jail.conf and add the following to the end:



The above sets fail2ban to scan the access logs. It will ban any ip that accesses more than 50 requests in 300 seconds.

The configuration can be adjust as required. Also specify the correct path to the access logs, and email.

Next create the file filter file:  /etc/fail2ban/filter.d/http-get-dos.conf

and enter the contents as:



The above will scan the logs and if it has more than 50 requests in 300 seconds, it will be banned.
You can add to the exclude regex any line you do not want banned, for example here is place Google.


To provide further information you can add some code in actionban to display extra information in an email.



This is an example of how Fail2Ban can be used to help prevent attacks but in an of itself it is not a solution. It is just one of the measures that can be taken for protection.
3
Internet Security Protection services
There are many commercial services that can be used to protect an infrastructure from attacks. Many ISP’s / MSP’s and companies may already be using these. Examples are:

http://www.dosarrest.com
http://www.blacklotus.net
http://blockdos.net
http://www.prolexic.com
4
Proxy or Load Balancer
Proxy Solutions can be used in front of the Appliance to provide an extra layer of protection against attacks (as well as High availability and load balancing) such as:

- DOS / DDOS attacks
SYN Flood attacks
Slow DOS (SlowLoris) attacks
Script Abusers

There are a number of solutions that can be used here such as the open source Squid, HAProxy, and other commercial solutions.

HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications.

It is particularly suited for web sites which receive very high loads while needing persistence or Layer7 processing.

HA Proxy can also be configured to help mitigate potential attacks.

If you are running your own Load Balancer based on HAProxy, look at the sysctl below (edit /etc/sysctl.conf with regards to mitigation of SYN Flood attacks.

# Protection SYN flood
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_max_syn_backlog = 1024

Note: If the attack is very large and saturates internet bandwidth, the only solution is to ask the internet access provider to null route the attackers IP’s on its core network.

For Slow DOS (SlowLoris) attacks clients will slowly send requests to a server, header by header, or character by character, waiting la ong time between each of them and the server have to wait until the end of the request to process, and send back the response.

The purpose of the attack is to prevent regular use of the service as the attacker is using all the available resources with these very slow requests.

In order to protect against this kind of attack setup the HAProxy option “timeout http-request”. It can set to 5s, which should be long enough.. This simply tells HAProxy to give a 5 second time limit to a client to send its whole HTTP request, otherwise HAProxy will shut the connection with an error.

HAProxy can be quite a comprehensive solution as a defense for attacks and is in use in many companies and ISP’s. A good place for further information is:

http://blog.exceliance.fr/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
5
Conclusion
This section provides some detail on ways that can be considered for protection against various internet attacks when deploying the SME Appliance.

Many companies and ISP / MSP’s may already have their own best practices and guidelines for such deployments and what is presented in this white paper can be considered and addendum to existing best practices for production deployment.

Back to Wiki Index