# X-Road: Security hardening guidelines
Version: 0.4
Doc. ID: UG-SEC
# Version history
Date | Version | Description | Author |
---|---|---|---|
02.06.2023 | 0.1 | Initial version | Ričardas Bučiūnas |
24.08.2023 | 0.2 | Minimum supported client Security Server version | Eneli Reimets |
14.11.2023 | 0.3 | Publish global configuration over HTTPS | Eneli Reimets |
15.12.2023 | 0.4 | Minor updates | Eneli Reimets |
# Table of Contents
- License
- 1. Introduction
- 2. User Management
- 3. Admin UI (Central Server and Security Server)
- 4. Access control
- 5. Publish global configuration over HTTPS
# License
This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/.
# 1. Introduction
You may want to harden the security of your X-Road instance by configuring additional security policies within your X-Road infrastructure. The security measures that are introduced in this guide are common security policies that can be configured on operating system level.
# 1.1 Target Audience
The intended audience of this User Guide are X-Road administrators (Central or Security server) who are responsible for X-Road instance set-up and/or everyday management of the X-Road infrastructure.
# 1.2 Terms and abbreviations
See X-Road terms and abbreviations documentation [TA-TERMS].
# 1.3 References
- [IG-CS] X-Road: Central Server Installation Guide. Document ID: IG-CS.
- [UG-CS] X-Road: Central Server User Guide. Document ID: UG-CS.
- [IG-SS] X-Road: Security Server Installation Guide. Document ID: IG-SS.
- [UG-SS] X-Road: Security Server User Guide. Document ID: UG-SS.
- [UG-SYSPAR] X-Road: System Parameters User Guide. Document ID: UG-SYSPAR.
- [TA-TERMS] X-Road Terms and Abbreviations. Document ID: TA-TERMS.
- [UG-CP] X-Road: Configuration Proxy Manual. Document ID: UG-CP.
# 2 User management
X-Road uses the Linux Pluggable Authentication Modules (PAM) to authenticate users. This makes it easy to configure the account management to your liking. The example PAM configurations provided in this guide may or may not work on your system depending on your system and existing PAM configurations. Note that editing the PAM configurations will take effect immediately without the need to restart anything.
For configuring the following security policies for the X-Road components Admin UI in production, please refer to The Linux-PAM System Administrator's Guide (opens new window) for the full documentation on how to configure PAM.
# 2.1 Configuring account lockout
Configuring an account lockout policy in your Admin UI authentication will provide an extra layer of defence against password guessing attacks, such as brute force attacks. After configuring the account lockout, when trying to log in to the Admin UI with a locked account, the login screen will display a generic login error without disclosing the reason or any other login information.
The PAM service to configure the account lockout to is xroad
.
# 2.1.1 Considerations and risks
After enabling the account lockout for the X-Road component, you should be aware that a user can lock out any other user's account if they know the correct username.
# 2.1.2 Account lockout examples
The example configurations will lock the user's account, preventing login to the Admin UI for 15 minutes (I.e. 900 seconds) after they provide a wrong password in the Admin UI login three (3) consecutive times. This configuration also affects the root account.
Example on Ubuntu
Create a new configuration /etc/pam.d/xroad
with the following content:
auth required pam_tally2.so deny=3 even_deny_root unlock_time=900 file=/var/lib/xroad/tallylog
@include common-auth
account required pam_tally2.so
@include common-account
password required pam_deny.so
session required pam_deny.so
Example on RHEL
On RHEL systems, the /etc/pam.d/xroad
file ships with the installation package so you need to modify the existing file. Replace the /etc/pam.d/xroad
contents with the following:
#%PAM-1.0
auth required pam_tally2.so deny=3 even_deny_root unlock_time=900 file=/var/lib/xroad/tallylog
auth required pam_unix.so
account required pam_tally2.so
account required pam_unix.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
# 2.2 Configuring password policies
Configuring a password policy in your Admin UI authentication will provide an additional layer of defence against password guessing attacks, such as password spraying.
User account passwords cannot be changed directly from the Admin UI, therefore the password policy must be configured on operating system user account level. The method of adding a new password policy varies significantly depending on your operating system, existing PAM configuration and authentication protocol.
For instruction on how to add password policies, please refer to your operating system's official documentation or customer support.
# 2.2.1 Considerations and risks
In a strong password, it is advisable to have at least 16 characters at minimum. You can also add complexity requirements, such as numbers and special characters, but these requirements can make the passwords more difficult for users to remember. Further additional measures could be to add commonly known passwords into a blocklist.
# 2.3 Ensuring User Account Security
Users of the web application are created by creating operating-system-level users. This means that a user can access the web application and the underlying operating system with the same credentials. Therefore, if user accounts in the web application were compromised, the attacker could use those credentials to log into the server via SSH if credential-based logging in is not disabled.
To harden the user account security, make sure that users are not allowed to access the server via SSH by default. The users needing SSH access are granted those rights separately.
Create a user group in which users are allowed to connect to the server via SSH while all other users are denied.
Add users which should have SSH access to newly created group.
Add the following line to
/etc/ssh/sshd_config
:AllowGroups <group_to_allow>
Restart the SSH service:
sudo systemctl restart sshd
It is also recommended to disable SSH password login and allow key-based authentication only. Before this modification, add users' public keys to the server. Edit /etc/ssh/sshd_config
and add the following lines:
ChallengeResponseAuthentication no
PasswordAuthentication no
Restart the SSH service once again:
sudo systemctl restart sshd
In addition, the users should be prevented from logging in to the system. This can be achieved by issuing the following command on Ubuntu:
usermod -s /bin/false user
On RHEL, the corresponding command is:
usermod -s /sbin/nologin user
The system administrator should also implement a monitoring and alerting system regarding anomalous logins.
# 3. Admin UI (Central Server and Security Server)
# 3.1 Host header injection mitigation
The host header specifies which website or web application should process an incoming HTTP request. The web server uses the value of this header to dispatch the request to the specified website or web application.
By default, this header allows any value which would be a security risk if Admin UI could be accessed by bad actors. To mitigate this issue it suggested to configure allowed-hostnames
as described in UG-SYSPAR.
For Security server refer to proxy-ui-api, for Central server refer to admin-service
# 4. Access control
# 4.1 Minimum Supported Client Security Server Version
To increase the security of the X-Road ecosystem, it is recommended to limit the minimum version of the client Security Server that is allowed to access a service.
On the service provider side, the Security Server administrator can limit the minimum client version by configuring the system parameter server-min-supported-client-version
as described in UG-SYSPAR section 3.2 Proxy parameters.
For example, setting the value server-min-supported-client-version = 7.3.1
means that client Security Server version should be at least 7.3.1
:
[proxy]
server-min-supported-client-version = 7.3.1
# 5. Publish global configuration over HTTPS
Starting from X-Road version 7.4, it is possible to publish global configuration over HTTPS using a TLS certificate issued by a trusted CA. The CA must be trusted by the Security Server's Java installation. See the Central Server User Guide UG-CS for details.
# 5.1 Central Server TLS configuration
To configure the Central Server to use a certificate issued by a trusted CA for serving global configurations over HTTPS follow "Central Server Installation Guide" IG-CS section "Configuring TLS Certificates".
# 5.2 Configuration Proxy TLS configuration
To configure the Configuration Proxy to use a certificate issued by a trusted CA follow "Configuration Proxy Manual" UG-CP section "Configuring TLS Certificates".
# 5.3 Security Server TLS configuration
The TLS certificate used by the global configuration endpoint must be signed by a trusted CA (one trusted by the JAVA installation).
If the certificate isn't trusted by the Security Server's JAVA installation by default, it can be manually added to the system truststore by following the steps below:
Example on Ubuntu 20.04 / 22.04
Copy the .crt
file (PEM) into the /usr/local/share/ca-certificates
folder.
Run sudo update-ca-certificates
.
Example on RHEL 7 / 8 / 9
Copy the .crt
file (PEM or DER) into the /etc/pki/ca-trust/source/anchors
folder.
Run sudo update-ca-trust extract
.
It is possible to disable the verification of the global configuration endpoint’s TLS certificate via system properties. The verification may be disabled in test and development environments. Instead, the verification must always be enabled in production environments. System parameters are specified in the UG-SYSPAR section "Configuration Client parameters: [configuration-client]".