Chat now with support
Chat with Support

QoreStor 7.1.2 - User Guide

Introducing QoreStor Accessing QoreStor Configuring QoreStor settings
Licensing QoreStor Configuring SAML Configuring an SSL Certificate for your QoreStor System Configuring Active Directory settings Understanding system operation scheduling Configuring share-level security for CIFS shares Configuring Secure Connect Enabling MultiConnect Configuring and using Rapid NFS and Rapid CIFS Configuring and using VTL Configuring and Using Encryption at Rest Configuring and using the Recycle Bin Configuring Cloud Reader Configuring RDA immutability
Managing containers Managing local storage Managing cloud storage Managing replications Managing users Monitoring the QoreStor system Managing QoreStor remotely Support, maintenance, and troubleshooting Security recommendations guide About us

Deleting a Diagnostics Log File

To delete an existing diagnostics log file from the Diagnostics summary table on the Diagnostics page, complete the following:

  1. Select Diagnostics.
  2. Click Select to select the diagnostics file you want to delete, and click Delete.
  3. Click OK to delete the selected diagnostics log file (or click Cancel to display the Diagnostics page).

Troubleshooting error conditions

To troubleshoot error conditions that disrupt your normal QoreStor operations, complete the following:

  1. Generate a QoreStor diagnostics log file bundle if one has not already been automatically created.

    For more information, see Generating a diagnostics log file .

  2. Check the system alert and system event messages to determine the current status of your QoreStor system.
  3. Verify if the QoreStor system has recovered or whether it has entered into Maintenance mode.
  4. If you cannot resolve the issue using the information in this QoreStor documentation, contact Quest Technical Support.

Excluding QoreStor directories from antivirus scans

Antivirius software can disable processes or cause files in the QoreStor server and corresponding repositories to be quarantined, causing a QoreStor system to go offline, go into maintenance mode, and initiate a filesystem scan in which there will be data loss. Antivirus software incorrectly identifies files in the datastore as viruses and quarantines or deletes them according to the antiviruses rule set. To avoid this issue, see the complete list of the processes and directories that you should exclude from antivirus scans at Antivirus exclusions for QoreStor.

Security recommendations guide

The following table describes the recommendations Quest offers for specific security scenarios.

Table 10: Security recommendations

Sr. No.

Asset

Recommendation

1

Secure connect certificates

Use third-party signing certificates like DigiCert, SSL.com, etc. Refer to the QoreStor User Guide for instructions on using third party certificates.

2

Object Container Certificate

Use third-party signing certificate. Currently Object Container and QS UI use the same certificate. We recommend using different certificates for each service.

3

QS UI Certificate

Use third-party signing certificate that can be uploaded via UI Dashboard. Refer to the QoreStor User Guide for instructions on using third party certificates.

4

QoreStor default passwords

The user should change the passwords immediately after installation. Minimum strength policies must be enforced at the time of changing passwords.

Passwords to change:

  • backup_user (default OST user)
  • UI admin password
  • CIFS admin password, if enabled

In addition, Cloud Tier and Archive Tier need passphrases at the time of creation of the storage groups. These passphrases must be treated like passwords from security and strength standpoint.

5

Default port settings and firewall settings

Quest recommends disabling the network ports that are not needed for customer use cases.

  • Quest recommends enabling just the following ports: 9443 (secure connect), 22 (SSH) and 5233 (HTTPS)
  • Quest recommends disabling the following ports unless the customer is using the specific functionality: 80 (HTTP), 9000 (S3 objects), 12000-12127 (RDA-NDMP), 9920, 10011, 11000 (OST/RDA without secure connect), 9904, 9911, 9915, 9916 (Replication), 111, 2049 (NFS), 138, 139, 445 (CIFS), 10000, 43000-43040 (NDMP) and 3260 (iSCSI)
  • Customers can enable or disable ports using system firewall configuration. Alternatively, customers can use fw_config, a script provided by QoreStor, to manage the port settings. Below are some commands to open ports using fw_config:

To limit the set of open ports to a minimum set

{This implicitly includes the UI port and ssh which is enabled by the OS)

/opt/qorestor/bin/fw_config -c sc

To enable ports used for RDCIFS or CIFS

/opt/qorestor/bin/fw_config -c sc,cifs

To enable ports used for RDNFS or NFS

/opt/qorestor/bin/fw_config -c sc,nfs

To enable ports used for the object container

/opt/qorestor/bin/fw_config -c sc,object

To enable ports used for replication from a DR Appliance to the QoreStor server

/opt/qorestor/bin/fw_config -c sc,oca

To enable ports used for iSCSI

/opt/qorestor/bin/fw_config -c sc,iscsi

To enable ports used for VTL NDMP

/opt/qorestor/bin/fw_config -c sc,ndmp

NOTE: Ports can be combined if needed. For example, to enable ports for replication from a DR, and RDCIFS, you would use:

/opt/qorestor/bin/fw_config -c sc,cifs,oca

6

AWS least privileges

As a general rule, enable only the least set of permissions needed to perform operations on cloud objects.

  • Bucket policies: Quest recommends setting RW permissions to users within the account and not give permissions to users outside the account.
  • IAM Policies: Batch and Lambda operations use IAM policies to manage access and permissions. Please refer to the QoreStor User Guide for sample policies.

7

Azure and other SPs least privileges and

As a general rule, enable only the least set of permissions needed to perform operations on cloud objects. For storage buckets, Quest recommends setting RW permissions to users within the account and not give permissions to users outside the account

8

Network Security Group (NSG) port settings for Azure market place images

Please refer to Azure market pace deployment guide for recommended NSG settings

9

UI log-in attempts

Quest recommends monitoring login attempts from UI using events. This will be useful to detect unauthorized login attempts to QoreStor via the UI. Refer to user guide for instructions on event monitoring.

10

Users logged intoQoreStor

Monitor local users logged into the QoreStor server. Super users can check /var/log/secure for shell logins.

11

Access to external CIFS/NFS shares

Quest recommends restricting access to CIFS/NFS shares based on IP white-listing. Check QoreStor events for mount access to the shares.

12

Encryption at rest and replication channel encryption

Quest recommends encryption at rest and encryption of in-flight data (replication channel) using internal keys and SHA256 to secure the backup data. Please refer to the user guide for instructions on how to enable them

13

RDA immutability

QoreStor version 7.1 and later offers enhanced security using RDA Immutability, which is under integration by DMAs. Please refer to user guide for details on the feature and instructions to enable it.

14

Recycle Bin

QoreStor version 7.1 and later offers protection against ransomware attacks with Recycle Bin.  Please refer to user guide for details on the feature and instructions to enable it.

 

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating