cancel
Showing results for 
Search instead for 
Did you mean: 

Best practice to harden a linux before installing a STM

Highlighted
New Contributor

Best practice to harden a linux before installing a STM

Hi,

 

Do you where i could find all we have to do to harden a linux before installing a STM on?

Any White paper or experience feedback will be great !

 

Thanks

 

Jerome

3 REPLIES
Frequent Contributor

Re: Best practice to harden a linux before installing a STM

Hi Jerome,

 

Chapters 23 and 24 of the user manual (https://support.riverbed.com/docs/stingray/trafficmanager.htm) describe the secure installation and adminstration of the Stingray software, with information that will help you firewall off the management ports and traffic (unless you've already configured an explicit management network)

 

Stingray software puts very little requirements on the underlying operating system; other than a base install, the only service that many users leave running is ssh (for remote OS administration).  Securing a Stingray host is much like securing any other Linux server (webserver, mail server) and you should be able to find appropriate documentation for your preferred Linux distro.

 

regards

 

Owen

New Contributor

Re: Best practice to harden a linux before installing a STM

Thanks Owen, 

 

In addition to securing the access as you mentionned, i found those information : 

 

Desactivate Firewall services : iptables et ip6tables (performances reasons)

Desactivation of others services : Iptables, ip6tablesm, irqbalance, cpuspeed, sendmail, isdn, autofs yum-updatesd, nfslock, avahi-daemon

 

Many thanks

Hace a nice day !

Frequent Contributor

Re: Best practice to harden a linux before installing a STM

Those are wise steps - you can disable almost all services on your Linux host.  For example, on our virtual appliance, the only services other than Stingray are SNMP, NTP (so that you can sync from the Stingray clock) and SSH (for remote administration), and we advise that you firewall these off so that they cannot be accessed from outside your org.

This document: Tuning Stingray Traffic Manager and this discussion Port scan on a VIP shows UDP port 123 and 161 open may help too.

Best regards

Owen