Security settings in the Appliance

Contents

Security settings in the Appliance

Overview

The Appliance uses standard mechanisms for authentication and security. Connections to the CLI of the Appliance are established through OpenSSH, which is the SSH implementation installed in the operating system of the Appliance, and connections to the Portal are managed by the security layer of the underlying Java implementation.

Some of the encryption algorithms allowed by these technologies may be considered weak and relatively easy to break, according to current technology standards. Ciphers that use short keys may compromise the security of the Appliance. To protect you against attacks that aim to break the ciphers used, you can control the allowed ciphers in the Appliance and disable those that you consider too weak. Just make sure that your SSH clients and browsers support the encryption methods that are not disabled.

SSH configuration

Starting from Nexthink V5.1, the default configuration of SSH in the Appliance is set to exclusively use ciphers and hashes that are considered strong. However, this configuration is automatically set only for fresh installations of Nexthink V5.1 and later.

If you upgraded to Nexthink V5.1 or if you work on a previous version, the following procedure configures SSH to only use strong ciphers (the same allowed by default in fresh installations of Nexthink V5.1 or later):

  1. Log in to the CLI of the Appliance.
  2. Edit the SSH configuration document:
    sudo vi /etc/ssh/sshd_config
  3. Add the following two lines at the end of the configuration file:
    Ciphers aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128,arcfour
    MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1,[email protected],hmac-ripemd160
  4. Restart the SSH daemon:
    sudo service sshd restart

Portal configuration

To disable weak ciphers in the Portal, set the Java run-time option in the configuration file of the Portal:

  1. Log in to the CLI of the Appliance.
  2. Edit the Tomcat configuration file for the Portal:
    sudo vi /etc/nxt-tomcat.conf
  3. Modify your JAVA_OPTS variable to add the option that disables the undesired algorithms from the TLS implementation of Java. For instance, to remove MD5 and RC4, keeping a memory configuration of 10 GB, write:
    JAVA_OPTS="-Djdk.tls.disabledAlgorithms=MD5,RC4 -Xmx10240m"
  4. Restart the Portal:
    sudo service nxportal restart