Search Appliance SBE
The following is a list of some best practices for the Appliance to consider from a security perspective.
We recommend installing all available updates, and continuing to do so in the future. See here for how to obtain and install the latest software onto the Appliance.
Once the Appliance is up to date review the following items, accessible on the System → System Setup → System Wide Settings page:
This should be left empty until/unless Thunderstone services on remote machines are configured that need it, such as replication (here) or Dataload (here). See here.
Consider whether audit logging should be enabled. When enabled, many events such as changes to settings, logins, failed logins etc. will be logged to a file for analysis. Review the log periodically. See here for details.
Enables HTTPS on the Appliance for secure connections. Set this to Y; see here. See below for information on blocking access to HTTP (non-HTTPS) connections if desired. On Gen4 appliances, this is always on so there is no setting.
Requires that HTTPS be used for direct (non-proxied) administrative actions. Set to Y; see here.
Requires that HTTPS be used for proxied administrative actions. Set to Y; see here.
Requires that administrative actions (to the .../dowalk interface) on the Appliance come from one of the given IPs or networks. If only certain workstations with fixed IPs (or networks/submasks) should administer the Appliance, then those addresses should be entered. See here.
If support for less-secure/legacy SSL protocols is not needed, uncheck all but the highest protocol, currently TLSv1.3. See here.
Set to DEFAULT:!LOW:!EXPORT:!RC4:!SSLv3:!3DES or any more secure setting based on your site requirements. See here.
SNMP should be disabled (N), as SNMP is an insecure protocol and can reveal configuration information.
Some security items are configured using Webmin, which may be accessed from the admin web interface using System → System Setup → Webmin System Management, or directly by accessing https://ApplianceHost:999/. Login as admin using the same password as the admin account of the main Appliance web interface. Then consider the following actions:
Any unused ethernet ports should be disabled. There are two ways to disable an ethernet port:
The iptables firewall on the Appliance is configured using the Webmin interface; select the Linux Firewall link (on Gen4 appliances select the FirewallD link. You may wish to configure the firewall here according to your local security policy. For example, if you have set Enable HTTPS Server (above) to Y, but further wish to have all access - admin and search - only through HTTPS, then access to the HTTP server on port 80 can be blocked.
To do this on Gen4 appliances select the Service http (80) rule then click Delete Selected Rules.
To do this on prior to Gen4 appliances, select Linux Firewall. The first time this is chosen, a default policy will be asked for; select Allow all traffic and the ethN port you configured the Appliance's IP on (typically eth0). Also check Enable firewall at boot time?. Then hit Setup Firewall.
In the Incoming packets (INPUT) section click Add Rule. Then set Rule comment to "Block http port 80" or such, set Action to take to Reject, set Network protocol to Equals, set Destination TCP or UDP port to Equals, and enter 80 for Port(s). Then click Create at the bottom of the page.
Now click Apply Configuration at the bottom, and make sure you're still able to reach the Appliance. If you've accidentally locked yourself out go to the Appliance console (physical or VM) and select F drop Firewall/NAT (Allow all network access) to delete the firewall configuration and make it wide open again.
Distinct administrative users should have distinct accounts, and accounts should not be shared. Consider enabling access control (here), and giving each user only the permission(s) needed to accomplish their tasks. Set up a group for each role - e.g. walk maintainers vs. look-and-feel editors vs. system admins - and assign users to those groups as needed, per their roles. Creating roles as groups instead of users makes audit logging (here) more useful and user management easier.
For every profile (both existing, and new ones created in the future), consider the following settings:
Under Search Settings, check the following:
If appropriate for the environment, consider using Results Authorization (here) to limit search results to those a search user is authorized for. Note that this can have a search performance impact.
Make sure Phishing Protection (here) is enabled, so users cannot be redirected to arbitrary URLs.
Make sure Prevent Find Similar Fetch (here) is enabled, to prevent the appliance from fetching arbitrary URLs.
Under All Walk Settings, check the following:
Resource limit settings such as Max Page Size, Max URL Size, Page Timeout, Maximum Process Size etc. should be left at their default values if possible, or only increased as much as needed. Setting them to very large or unlimited values can potentially allow a walk to consume inordinate amounts of resources, potentially slowing searches or bringing the machine down.