Chapter 6   (Optional) Using the Server Security Controls

This chapter describes how to use the Security control pages to configure security settings for Partner Agent Server, enable or disable FTP commands, and perform audits.

This chapter covers the pages for viewing and changing the Security Controls:

• Secure Sockets Layer



• User Authentication



• Login Failures



• FTP Commands



• Entrust Configuration



• Security Audit

Secure Sockets Layer

---

The Secure Sockets Layer (SSL) is the security protocol that Partner Agent Server uses. SSL can be enabled or disabled globally. If SSL is enabled, then there are two client certificate options, plus any user class SSL requirements. Encryption (SSL) can be set as optional or mandatory on a user class basis.

When SSL is made mandatory, the Partner Agent Server allows only connections that are encrypted using SSL: if the client does not support SSL, it cannot connect. If SSL is optional, then it is up to the client to decide whether or not to use SSL. If the client requests an SSL connection, it is negotiated; if not, the Partner Agent Server allows the connection to proceed without encryption.

---

Note	Even if SSL is optional, if the client requests SSL and then fails the Client Certificate Verification, the connection will be rejected.

---

By default, Partner Agent Server has been pre-configured for maximum security. This means that data passing over the connection between the Partner Agent Client and the Partner Agent Server is encrypted via SSL. It also means that client users must present a valid certificate to the server for authentication.

Figure 6-1    Security pages, Secure Sockets Layer screen

The Secure Sockets Layer page is where you set up the SSL options for Partner Agent Server. In the first section of the page, there are three drop-down lists for setting the SSL options. Below that there is a section for adding SSL User Encryption Entries and below that a list of any Current SSL Users Encryption Entries.

Enabling or Disabling SSL

To globally enable or disable SSL:

1. Select the desired option from the first drop-down list.




The default value is Secure Sockets Layer Enabled.



2. Click Apply.




Your change is applied.

Modifying the Requirement for Client Certificates

To require or make optional a client certificate:

1. Select the desired option from the second drop-down list.




The default value is Client Certificate Mandatory.



2. Click Apply.




Your change is applied.

Enabling or Disabling Client Certificate Verification

To enable or disable client certificate verification:

1. Select the desired option from the third drop-down menu.




The default value is Client Certificate Verification Enabled.



2. Click Apply.




Your change is applied.

Adding a New SSL Users Encryption Entry

To add a new SSL users encryption entry:

1. Select a user class from the User Class drop-down list.



2. Select whether encryption is Mandatory or Optional. Choose from the Encryption drop-down list.



3. Click Add Entry.




The definition is added to the list of Current SSL Users Encryption Entries, with a status of Disabled.

Enabling or Disabling an Encryption Entry

To enable or disable an encryption entry, click Enable or Disable next to the desired encryption entry.

Editing an Encryption Entry

To edit an encryption entry from the list of Current SSL Users Encryption Entries:

1. In the Action column, next to the desired encryption entry, click Edit.



2. Make the desired changes in the fields and drop-down lists in the Edit SSL Users Encryption Entry section above the list of Current SSL Users Encryption Entries.



3. Click Apply.




Your changes are reflected in the list of Current SSL Users Encryption Entries.

Deleting an Encryption Entry

To delete an encryption entry, in the Action column, next to the desired entry, click Delete.

User Authentication

---

User authentication is the method by which a real or virtual user-supplied password is authenticated. This can be accomplished using the standard UNIX password based authentication or by invoking a defined Authentication ActiveAgent (auth agent) to perform the authentication. For more on ActiveAgents see Chapter 8: ActiveAgents.

Partner Agent Server has been pre-configured to extract the username from the Distinguished Name (DN) string and prompt for a password after a user's certificate has been authenticated. This username/password combination must correspond to a valid ECXpert member. As pre-configured, the Server authenticates users only via the ECXpert authentication ActiveAgent program (ecxpas-login), which calls ECXpert APIs to perform this authentication against the ECXpert member directory/database.

Figure 6-2    Security pages, User Authentication screen

Setting User Authentication Options

To set the options:

1. Select an authentication order from the first drop-down list.




The default value is Auth Agent Only.



2. Click Apply.



3. Enter a value for the Magic Cookie in the Auth Agent Magic Cookie field, ("A Few Things to Know about User Authentication".)



4. Click Apply.
   

   ---

   ---

   
   

A Few Things to Know about User Authentication

• If an auth agent magic cookie is defined, its value is used to check against the password field in the user's password entry obtained from a password file or using a user configuration agent. If it matches, only call the auth agent. If it does not match, only standard password based authentication is performed.



• If an auth agent magic cookie is not defined, or it is set to off, the authentication order is checked.



• If the authentication order is password files only, only standard password based authentication is done.



• If the authentication order is auth agent only, only the auth agent is called. If the authentication order directive is password agent, standard password based authentication is done. If it fails, the auth agent is called as a second chance.



• If the authentication order directive is agent password, the auth agent is called. If it fails then standard password based authentication is done as a second chance.



• A non-existent auth agent is considered an authentication failure. So, for example, if auth-order is agent password, and there is no agent, the first round of authentication fails and the second round attempts standard password based authentication. If authentication order is auth agent only, the authentication always fails.



• If authentication order is not defined, only standard password based authentication is done.

Login Failures

---

For security reasons, we recommended you limit the number of consecutive failed logins before the Partner Agent FTP Server terminates the connection with a user. If you do not limit this, a hacker could connect once and keep trying multiple passwords on a user's account. Set the failed login threshold at three attempts, for example, so users have to reconnect after every three failed attempts. The Login Failures page is where you can change the failed login threshold.

Figure 6-3    Security pages, Login Failures screen

Changing the Failed Login Threshold

To change the failed login threshold:

1. Enter the desired value in the Disconnect after field.



2. Click Apply.




Your change is applied.

FTP Commands

---

Partner Agent FTP Server uses a number of standard and customized FTP commands. The FTP Commands page is where you enable and disable the available FTP commands in Partner Agent Server. You can also determine which user classes you want to allow or restrict FTP Command privileges.

Figure 6-4    Security pages, FTP Commands screen

Setting FTP Command Options

To set FTP command options:

1. Select a command from the FTP Command drop-down list.



2. Select either Enable FTP Command or Disable FTP Command from the Enable/Disable drop-down list.



3. Select the User Class you want to allow or deny use of the selected FTP command. Select from the User Class drop-down list.



4. Click Add Entry.




The entry is added to the list of Current FTP Command Entries.

Editing an FTP Command Entry

To edit an FTP Command entry from the list of Current FTP Command Entries:

1. In the Action column, next to the desired FTP Command entry, click Edit.



2. Make the desired changes in the fields and drop-down lists in the Edit FTP Command Entry section above the list of Current FTP Command Entries.



3. Click Apply.




Your changes are reflected in the list of Current FTP Command Entries.

Deleting an FTP Command Entry

To delete an FTP Command entry, in the Action column next to the desired entry, click Delete.

Entrust Configuration

---

Entrust is an option available for some UNIX platforms. If it is not set up for your system, the Entrust page displays the message "Entrust not Available."

Security Audit

---

Your Partner Agent Server has an integrated security auditing system, called EnGuard^TM, that can be enabled to automatically runs daily. EnGuard alerts you of potential security holes and possible break-ins. EnGuard uses pre-programmed security checks in combination with sophisticated historical inference algorithms to detect security weaknesses on your Server.

EnGuard Features

• Checks for security holes caused by interactions between Partner Agent Server and other programs such as Telnet.



• Analyzes anonymous FTP hierarchies for security holes.



• Analyzes Server configuration files and binaries for security holes.



• Historical inference engine for detecting breakins.



• Notifies system administrators through e-mail or logfiles.



• Generates textual or HTML security reports.



• Runs daily as a cron job, for continual monitoring.

Running EnGuard as a Cron Job

EnGuard is commented out by default, but can be enabled to run as part of the nightly Partner Agent Server cron job that is configured at install time. EnGuard maintains a historical database about your Partner Agent Server site. As it is run successively, it uses this database to spot anomalies in accesses to your site, and new security holes that may have appeared since the last time EnGuard was run

.

---

Note	If you set the "reportformat email" control in your config file, you can have EnGuard send you an email whenever it detects new problems with your site. This way, it remains invisible unless problems are detected.

---

To enable EnGuard:

• Edit $NSBASE/NS-apps/paserver/bin/rotate and un-comment the EnGuard entry:


# $NSBASE/NS-apps/paserver/bin/enguard

Security Audit Control Panel

The Security Audit Control Panel page is where you browse reports, configure reports, perform an instantaneous security check and update the Enguard settings.

This page has links to other pages and controls. Each page contains a link back to the Security Audit Control Panel page.

Figure 6-5    Security pages, Security Audit Control Panel screen

Browsing Previously Generated Security Audit Reports

To go to the Browse Security Audit Reports Archive page, click Browse Previously Generated Security Audit Reports. If you enabled archiving of reports, ("Configuring Archival and Distribution of Reports"). This page displays the historical archive of any Partner Agent Server security audit reports that your Server has run.

Reports are stored as date-stamped files in the $NSBASE/NS-apps/paserver/var/db/audit/htmllogs and $NSBASE/NS-apps/paserver/var/db/audit/textlogs directories. You can page through the archive, viewing links to twenty reports at a time, in most-recently-created order. Security audit reports are archived forever, so to get rid of old archived reports, delete them from their directories.

Configuring Archival and Distribution of Reports

The Archiving and Distribution of Security Reports page allows you to configure the archival and distribution of security reports. You can have security audits e-mailed to a list of users.

Reports are archived as date-stamped files in the $NSBASE/NS-apps/paserver/var/db/audit/htmllogs and $NSBASE/NS-apps/paserver/var/db/audit/textlogs directories. You can enable or disable the archiving of reports. If you disable the archiving of reports, a single report file is overwritten every time EnGuard is run. This avoids using a lot of disk space for archiving reports, but is not an advisable setting as it does not preserve reports which may have detected transient or new security weaknesses.

To access the Archiving and Distribution of Security Reports page, click Configure Archiving and Distribution of Reports. This page is where you enable or disable archiving of reports and sending of the daily security audit results.

Figure 6-6    Security pages, Security Audit Control Panel, Archiving and Distribution of Security Reports screen

Archival and Distribution of Security Reports Options

To set the options for archiving and distributing daily security audits:

1. Click the Send Email Report's checkbox to enable or disable sending of email reports.



2. List e-mail addresses in the Recipient list field. The user names in the recipient list should be separated with spaces. For example: root admin dave@myserver.com.



3. Enter the pathname to the mail application in the E-Mail program to use field. For example: /bin/mailx.



4. Choose Yes or No for whether or not Partner Agent Server should archive old reports.



5. To apply all your changes for this page, click Change Audit Settings.

Customizing Reports

The Customize Security Audit Reports page is where you set which security checks are performed and what gets reported. To access this screen, from the Security Audit Control Panel page, click Customize Reports.

Figure 6-7    Security pages, Security Audit Control Panel, Customize Security Audit Reports screen

On the Customize Security Audit Reports page there are a list of options that can be enabled or disabled. Each option has a checkbox. A checkmark in a item's checkbox means that item is enabled, no checkmark means it is disabled.

To Enable or Disable an item:

1. Click in the checkbox, to make a checkmark appear or disappear.



2. Click Change EnGuard Settings, to enact your changes.

Enabling or Disabling Security Checks

Partner Agent Server's security auditing system performs a number of security checks. You can enable or disable these checks. The security checks that you can enable or disable are:

• checking of /etc/passwd.



• checking of /etc/shadow.



• checking of denied users.



• checking of user passwords.



• checking of the FTP daemon, inetd.conf and related binaries.



• checking of the anonymous FTP file hierarchy.



• checking for failed logins in syslog.



• checking for repeated failed logins in syslog.



• checking if files have been modified since the last run.



• checking if new files in the anonymous FTP file hierarchy are shared libraries.

Enabling or Disabling Report Settings

The security auditing system prints a report of the configuration errors, security warnings and security violations every time it runs. Additionally, you can ask for a progress report. This is a verbose report that details all the actions of the security auditing process. If you are receiving E--mail reports, you only receive a report if there is something to report. If you want to be notified every time the security auditing system runs, regardless of whether there were security issues for you to investigate, then you should enable OK Reports or Progress Reports.

• Report Progress




The progress report is a report that details all the actions of the security auditing process. If you want to be notified every time that the security auditing system runs, regardless of whether there were security issues for you to investigate, then you should enable OK Reports or Progress Reports.



This disables or enables the printing of a report, even if no violations, warnings or errors were detected. The default is for an OK report to be printed every time a security audit is run. You can disable the printing of an OK report if you have scheduled EnGuard to run frequently and you do not want frequent notification that everything is OK. However, if you want to be notified that auditing is still running on an automatic basis, you should enable OK printing.



• Report Errors




This disables or enables the printing of errors in your reports. The default is for error printing to be enabled. Errors notify you of problems with the setup of the auditing system itself (very rare). It is advisable for you to enable the printing of errors.



• Report Warnings




This disables or enables the printing of security warnings in your reports. The default is for warning printing to be enabled. Warnings notify you of potential problems or failed Partner Agent Server logins. These may or may not be security holes. It is advisable for you to enable the printing of warnings. Warnings are displayed like this:



WARNING: /etc/ftpusers file does not exist.



• Report Violations




This disables or enables the printing of security violations in your reports. The default is for violation printing to be enabled. Violations notify you of serious security holes and hacker attacks on your Partner Agent Server. It is strongly advised that you enable the printing of violations. Violations are displayed like this:



VIOLATION: /home/ftp/pub/tmp/test has write permission for OWNER and GROUP and OTHERS.



This is a serious security problem, as it lets all FTP users write into the file. To correct this problem, execute the command chmod 555 /home/ftp/pub/tmp/test as root.

Configuring Security Checking Of Anonymous FTP Hierarchy

The security auditing system checks the anonymous FTP directory for security holes. There may be directories in the anonymous FTP directory hierarchy that you do not want EnGuard to check. You can exclude these directories by adding them to the excluded directory list. Doing this removes the directories and their child directories from the EnGuard audit list. For example, if you have a directory that is writable by all users, and you do not care if any of the subdirectories or files inside this hierarchy are writable. Be warned that not checking an entire directory hierarchy can open up some serious security holes on your Server.

To access the Auditing The Anonymous FTP Hierarchy page, click Configure Security Checking Of Anonymous FTP Hierarchy.

Figure 6-8    Security pages, Security Audit Control Panel, Auditing the Anonymous FTP Hierarchy screen

Excluding a Directory

To exclude a directory from the daily security check:

1. Enter a directory path name in the Add Directory to Exclude List field.



2. Click Add Directory to Exclude List.




The Directory is added to the list of any excluded directories.

Removing a Directory from the Excluded List

To remove a directory from the excluded list, next to the list entry, click Remove Directory from Exclude List.

The Directory is removed from the list of any excluded directories.

Excluding a File

To exclude a file from the daily security check:

1. Enter a file path name in the Add File To Exclude List field.



2. Click Add File To Exclude List.




The file is added to the list of any excluded files.

Removing a File from the Excluded List

To remove a file from the excluded list, next to the list entry, click Remove File from Exclude List.

The Directory is removed from the list of any excluded files.

Performing a Security Audit

To perform a real-time security audit of the Server, click Perform A Security Audit Right Now. This typically only takes a few seconds on a lightly used system. When the audit is complete you are presented with a link to view the security audit report.

To view the report, click Click here to view security audit report.

To return to the Security Audit Control Panel page, click Security Audit Control Panel.