Skip to main content
Question

Hardening the NetSUS appliane

  • May 8, 2012
  • 13 replies
  • 25 views
J
Forum|alt.badge.img+24

Hi-

In having a Foundstone scan done on the NetSUS appliance so that it could be used centrally for internal SUS duty, a few things stuck out. They were mainly around vulnerabilities with SMB. As the instance I was having scanned was only going to be used for SUS, I didn't need SMB turned on, so I turned it off.

Unfortunately smbd is controlled by Upstart, which can be a little hard to understand. Upstart is event driven, rather than run level driven. Here's the beginning of the /etc/init/smbd.conf file:

start on local-filesystem
stop on runlevel [!2345]

Basically, it's going to startup smbd whenever the local filesystem is mounted and stop when the runlevel is not (!) 2,3,4 or 5. Totally not what we want. We want it off, all the time, with the ability to still do a 

service smbd start

So instead, we can do this:

start on [!0123456]

We're basically telling Upstart to begin smbd when the runlevel is NOT 0,1,2,3,4,5 or 6. Which is... NEVER!

Just thought this may help someone as I was scratching my head for about a day trying to configure service runlevels and smbd not paying attention to that config.

    13 replies

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Author
    • Valued Contributor
    • May 8, 2012

    Ug, and we need that ability to edit JAMF Nation titles... I stink.

    N
    Forum|alt.badge.img+19
    • nkalister
    • Contributor
    • May 8, 2012

    great tip jared! I don't need netboot from my appliance, so I'll be turning smb off as well once it's deployed.

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Author
    • Valued Contributor
    • May 8, 2012

    You'll want to kill NFS as well. That can be done in the usual manner with 

    update-rc.d nfsd remove
    N
    Forum|alt.badge.img+19
    • nkalister
    • Contributor
    • May 8, 2012

    ok, thanks!

    M
    Forum|alt.badge.img+9
    • myronjoffe
    • Valued Contributor
    • June 8, 2012

    Any idea how you enable SSH on the appliance?

    C
    Forum|alt.badge.img+7
    • ClassyLee
    • Contributor
    • June 8, 2012

    You need to install the ssh client. Run this from the command line:

    sudo apt-get install ssh

    C
    Forum|alt.badge.img+7
    • ClassyLee
    • Contributor
    • June 8, 2012

    You need to install the ssh client. Run this from the command line:

    sudo apt-get install ssh

    D
    Forum|alt.badge.img+1
    • dag2012
    • New Contributor
    • June 12, 2012

    I also had our security team run a scan on the appliance and they weren't too happy. :-)

    One of the big things is that they want PHP to be updated to 5.4.0 and Apache HTTPD to be updated to 2.2.22.

    I ran apt-get update and upgrade and thought that might solve the problem but it looks like I still need to do some updates. Has anyone had any luck upgrading the distro to 12? Does it break anything? Was thinking this would solve my issues with out of date software. Thanks.

    Dan

    M
    Forum|alt.badge.img+9
    • myronjoffe
    • Valued Contributor
    • June 22, 2012

    I was not able to install the appliance on the latest version of Ubuntu using the preseed command. Quite a few things failed during the install...

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Author
    • Valued Contributor
    • June 22, 2012

    I did all the available updates before our security scan.

    C
    Forum|alt.badge.img+17
    • Cem
    • Contributor
    • December 23, 2012

    Security scan points out samba and openssh updates. I am thinking of upgrading Lucid to Precise. Anyone tried this with NetSUS Appliance?

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Author
    • Valued Contributor
    • December 26, 2012

    Point your installer at the seed file JAMF has.

    https://github.com/jamf/NetSUS/blob/master/seed/NetSUS.seed

    C
    Forum|alt.badge.img+17
    • Cem
    • Contributor
    • December 27, 2012
    Point your installer at the seed file JAMF has. https://github.com/jamf/NetSUS/blob/master/seed/NetSUS.seed

    Appreciate the info. But what does .seed file do? Does it install the Appliance to any Ubuntu Server version? So if I upgrade the Ubuntu v10 (came with the Appliance) to v12 first then do I need to point to NetSUS.seed to reinstall the Appliance?
    Also how do I do that, what command to use?
    No read me file to explain or I am missing something!

    EDIT: I have just seen this;
    http://jamfnation.jamfsoftware.com/discussion.html?id=4363

    Terms & ConditionsCookie settingsAccessibility statement