The MX-ONE has been endowed with a set of configurations aiming to increase the system’s security, reliability and resiliency to a number of malicious attacks.
IPTables is a packet filter built into the Linux kernel. The filter has been configured to prevent that certain services running on the server for the MX-ONE Service Node, necessary for the server’s correct functioning, can be reached from the corporate network (eth0). The following services have been blocked for incoming connections on eth0:
Additionally, ICMP echo reply messages (ping) are limited to one response per second.
To display the actual IPTables configuration, type iptables -L
To remove a rule, for instance the one blocking the daytime protocol on eth0, type iptables -D INPUT -i eth0 -p udp -m udp -dport daytime -REJECT
For more information about how to configure IPTables, refer to the IPTables manual pages, type man iptables.
vat
postgresql
clvm-cfg
kerberos
nfs
sunrpc
rmiregistry
daytime
tftp
The MX-ONE is configured to not accept any SSH connection logging in as root. In case root privileges are required, it is necessary to log on as another user and then to use the command su -.The SSH configuration is saved in the /etc/ssh/sshd_config file.
Seccheck is a security tool used by the Suse Linux Enterprise Server Operating System. Seccheck comprises three scripts that are run respectively each day, each week and each month (as cron jobs). In case something is detected that might indicate a security breach, a mail is sent to the root user with a description of the problem.
The seccheck scripts are stored in the /usr/lib/secchk directory.
The seccheck script can also be run manually by typing:
/usr/lib/secchk/security-daily.shor
/usr/lib/secchk/security-weekly.shor
/usr/lib/secchk/security-mothly.sh
The weekly and monthly seccheck scripts are very CPU and memory intensive and can easily lead to too slow responses on traffic events and result in MX-ONE Service Node calls throttled alarms. If possible ensure that these checks are always run at low traffic times. Check the settings in /etc/cron.d/seccheck on when the checks are executed. For operations where degrading of the telephony throughput is not acceptable or for other reasons the checks can be removed.
To remove the security check do the following:
Log-in as user mxone_admin, and key the command sudo -H /opt/mxone_install/bin/mxone_maintenance and select option seccheck and follow the instructions on screen.