ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Production KVM server "hardening"?

    Scheduled Pinned Locked Moved IT Discussion
    22 Posts 7 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @1337
      last edited by

      @Pete-S said in Production KVM server "hardening"?:

      Thanks! My intention was to put the management network behind a VPN - with MFA for human access.

      We go farther and don't enable SSH. We use reach out, rather than reach in. It's more secure, extremely hard to attack.

      1 Reply Last reply Reply Quote 1
      • 1
        1337 @scottalanmiller
        last edited by 1337

        @scottalanmiller said in Production KVM server "hardening"?:

        @Pete-S said in Production KVM server "hardening"?:

        Thanks! My intention was to put the management network behind a VPN - with MFA for human access.

        Doesn't do anything. SSH is already in a VPN. MFA is great, but just add that to SSH. VPN won't add anything to SSH, but it risks the feeling that you can use it for other things and it tends to become the point of risk.

        VPN is used to get access to the private network. Servers are not accessible from internet. So there is no way to use ssh without first having access to the private network.

        So double encryption was just a by-product.

        scottalanmillerS 2 Replies Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @1337
          last edited by

          @Pete-S said in Production KVM server "hardening"?:

          @scottalanmiller said in Production KVM server "hardening"?:

          @Pete-S said in Production KVM server "hardening"?:

          Thanks! My intention was to put the management network behind a VPN - with MFA for human access.

          Doesn't do anything. SSH is already in a VPN. MFA is great, but just add that to SSH. VPN won't add anything to SSH, but it risks the feeling that you can use it for other things and it tends to become the point of risk.

          VPN is used to get access to the private network. Servers are not accessible from internet. So there is no way to use ssh without first having access to the private network.

          So double encryption was just a byproduct.

          I get that. My point was that you'd get the same security without the private network or the VPN. They only give an illusion of additional security, but cause a lot more effort and more effort often results in work arounds.

          If keep SSH from being access to only places that can access the VPN, you get all the benefits that you have with the VPN at a fraction of the effort both up front and in utilization. VLANs and VPNs sound like they are providing additional security but in a case like this, I don't see it actually adding anything. It's just that people typically lock down a VPN in one way and SSH in another, but if you apply the combined rules just to the SSH to get easy to use, with all of the security.

          1 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @1337
            last edited by

            @Pete-S said in Production KVM server "hardening"?:

            VPN is used to get access to the private network. Servers are not accessible from internet.

            This is the part that is weird. Like.... if we look at it from the outside, it's the same...

            Step One: Access exposed port
            Step Two: Access server

            That behind the scenes it's a private network is irrelevant to someone attempting to access it. In both cases it's a published port that is heavily locked down with encryption and MFA. If you want, you can call the SSL layer of SSH a VPN (it literally is, in every sense) and you can call the inside of that tunnel a private network (it is in any meaningful sense) and voila, the two thigns are the same other than the double encryption which isn't "bad" but isn't beneficial either (typically.)

            A bit of pain, no gain. But putting on my security auditor's hat.... it's a bit of "making people annoyed at pointless security" which is, itself, a huge security hole that creates risk. When you make security too onerous, and especially if there is no security justification for it, you typically create both a business need and an emotional desire to circumvent the security.

            DashrenderD 1 Reply Last reply Reply Quote 1
            • scottalanmillerS
              scottalanmiller
              last edited by

              For example, when IT firms are forced to use VPNs to customers, they often circumvent them by making shared machines that have the VPNs open all of the time taking something that "seems" like it would increase security and causing it to be a big opening because they have a job to do and to secure themselves they don't want the expose to themselves of the VPN.

              In nearly all cases, over time, I see VPNs being used to circumvent the very security people thought that they were in place to create.

              1 Reply Last reply Reply Quote 0
              • 1
                1337 @scottalanmiller
                last edited by

                @scottalanmiller said in Production KVM server "hardening"?:

                I get that. My point was that you'd get the same security without the private network or the VPN. They only give an illusion of additional security, but cause a lot more effort and more effort often results in work arounds.

                Yeah, I agree. Anyway, I don't want to go down the rabbit hole of network design specifics at this time. Might circle back to that later though.

                My primary concern right now is if there are any special configuration needed to run pure minimal linux KVM virtualization hosts in production in a responsible manner.

                scottalanmillerS 1 Reply Last reply Reply Quote 1
                • scottalanmillerS
                  scottalanmiller @1337
                  last edited by

                  @Pete-S said in Production KVM server "hardening"?:

                  My primary concern right now is if there are any special configuration needed to run pure minimal linux KVM virtualization hosts in production in a responsible manner.

                  Nothing too specific. Very much just general Linux hardening which is just general systems hardening.

                  1 Reply Last reply Reply Quote 1
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said in Production KVM server "hardening"?:

                    @Pete-S said in Production KVM server "hardening"?:

                    VPN is used to get access to the private network. Servers are not accessible from internet.

                    This is the part that is weird. Like.... if we look at it from the outside, it's the same...

                    Step One: Access exposed port
                    Step Two: Access server

                    That behind the scenes it's a private network is irrelevant to someone attempting to access it. In both cases it's a published port that is heavily locked down with encryption and MFA. If you want, you can call the SSL layer of SSH a VPN (it literally is, in every sense) and you can call the inside of that tunnel a private network (it is in any meaningful sense) and voila, the two thigns are the same other than the double encryption which isn't "bad" but isn't beneficial either (typically.)

                    A bit of pain, no gain. But putting on my security auditor's hat.... it's a bit of "making people annoyed at pointless security" which is, itself, a huge security hole that creates risk. When you make security too onerous, and especially if there is no security justification for it, you typically create both a business need and an emotional desire to circumvent the security.

                    Doesn't his setup allow for two different authentications to be required? Assuming I'm right there, wouldn't that be another layer?
                    i.e. layer one creds (cert likely) at VPN
                    layer two creds (cert likely) at SSH

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said in Production KVM server "hardening"?:

                      Doesn't his setup allow for two different authentications to be required? Assuming I'm right there, wouldn't that be another layer?
                      i.e. layer one creds (cert likely) at VPN
                      layer two creds (cert likely) at SSH

                      Yes, it has MFA. But you can have MFA on just SSH too. So while yes, you are correct that it does that, but not that it adds something special.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @scottalanmiller
                        last edited by

                        @scottalanmiller said in Production KVM server "hardening"?:

                        @Dashrender said in Production KVM server "hardening"?:

                        Doesn't his setup allow for two different authentications to be required? Assuming I'm right there, wouldn't that be another layer?
                        i.e. layer one creds (cert likely) at VPN
                        layer two creds (cert likely) at SSH

                        Yes, it has MFA. But you can have MFA on just SSH too. So while yes, you are correct that it does that, but not that it adds something special.

                        Well - MFA adds a third thing to the list of what I said.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said in Production KVM server "hardening"?:

                          @scottalanmiller said in Production KVM server "hardening"?:

                          @Dashrender said in Production KVM server "hardening"?:

                          Doesn't his setup allow for two different authentications to be required? Assuming I'm right there, wouldn't that be another layer?
                          i.e. layer one creds (cert likely) at VPN
                          layer two creds (cert likely) at SSH

                          Yes, it has MFA. But you can have MFA on just SSH too. So while yes, you are correct that it does that, but not that it adds something special.

                          Well - MFA adds a third thing to the list of what I said.

                          No, it's already MFA. MFA is not an additional thing. You literally said "doesn't this allow for two different authentications", that's literally MFA.

                          DashrenderD 1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said in Production KVM server "hardening"?:

                            @Dashrender said in Production KVM server "hardening"?:

                            @scottalanmiller said in Production KVM server "hardening"?:

                            @Dashrender said in Production KVM server "hardening"?:

                            Doesn't his setup allow for two different authentications to be required? Assuming I'm right there, wouldn't that be another layer?
                            i.e. layer one creds (cert likely) at VPN
                            layer two creds (cert likely) at SSH

                            Yes, it has MFA. But you can have MFA on just SSH too. So while yes, you are correct that it does that, but not that it adds something special.

                            Well - MFA adds a third thing to the list of what I said.

                            No, it's already MFA. MFA is not an additional thing. You literally said "doesn't this allow for two different authentications", that's literally MFA.

                            Well then I meant three - the first logon to VPN (which is actually two verifications - creds and MFA) and then a - well I guess - third which is creds to SSH.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said in Production KVM server "hardening"?:

                              @scottalanmiller said in Production KVM server "hardening"?:

                              @Dashrender said in Production KVM server "hardening"?:

                              @scottalanmiller said in Production KVM server "hardening"?:

                              @Dashrender said in Production KVM server "hardening"?:

                              Doesn't his setup allow for two different authentications to be required? Assuming I'm right there, wouldn't that be another layer?
                              i.e. layer one creds (cert likely) at VPN
                              layer two creds (cert likely) at SSH

                              Yes, it has MFA. But you can have MFA on just SSH too. So while yes, you are correct that it does that, but not that it adds something special.

                              Well - MFA adds a third thing to the list of what I said.

                              No, it's already MFA. MFA is not an additional thing. You literally said "doesn't this allow for two different authentications", that's literally MFA.

                              Well then I meant three - the first logon to VPN (which is actually two verifications - creds and MFA) and then a - well I guess - third which is creds to SSH.

                              But then add three to SSH. Using totally unrelated technologies to layer authentication is valid, but a weird brute force method to get there. If your goal is just MFA, just do MFA in an elegant, efficient, easy way. Want two factor, do a key and passkey. Want a third, add Duo or Google Auth or Authy. Want a forth, text your phone or send an email. Want a fifth, do whatever forth one you didn't do. Want a sixth, have a script check that you are clocked in and at your desk. Want a seventh, do IP locking.

                              You can get more MFA factors from any one mechanism than you can use. VPN is often used to get MFA without someone realizing that that is what they were trying to accomplish or without realizing that that is where they are seeing the benefit. And because of that, because it's often done without any evaluation of what is really wanted, it rarely fits the need well. Is it MFA? Yes. Is it a good way to get that MFA? Not really. It's okay, but it isn't great. Lots of overhead to do something fundamentally pretty simple. And it makes the MFA location dependent (in most deployments.) You can bypass the MFA by changing your physical location. In most companies that do this, because they don't realize it is MFA that they are trying to do, they make it really easy to bypass the MFA for most people.

                              1 Reply Last reply Reply Quote 0
                              • ObsolesceO
                                Obsolesce @1337
                                last edited by

                                @Pete-S said in Production KVM server "hardening"?:

                                I'm thinking about running pure KVM on debian for virtualization hosts. Not Proxmox. There will be no GUI on the servers, no web interface, only ssh for management.

                                Do I need to do anything special to lock down the security?

                                I've never used KVM in production, only on my desktop and then I've had virt-manager as well as tools like virtsh. So I don't really know what is required for a pure KVM server to be as "secure" as proxmox, xcp-ng or whatever.

                                Keep the OS and everything updated. Keep drivers updated. Keep firmware updated. Use only key-based auth for SSH, add only specific devices to authorized_keys file. Ensure firewall configured well. Set up log alerts for access.

                                1 Reply Last reply Reply Quote 1
                                • 1
                                • 2
                                • 1 / 2
                                • First post
                                  Last post