1 |
Secure connect certificates |
Use third-party signing certificates like DigiCert, SSL.com, etc. Refer to the QoreStor User Guide for instructions on using third party certificates. |
2 |
Object Container Certificate |
Use third-party signing certificate. Currently Object Container and QS UI use the same certificate. We recommend using different certificates for each service. |
3 |
QS UI Certificate |
Use third-party signing certificate that can be uploaded via UI Dashboard. Refer to the QoreStor User Guide for instructions on using third party certificates. |
4 |
QoreStor default passwords |
The user should change the passwords immediately after installation. Minimum strength policies must be enforced at the time of changing passwords.
Passwords to change:
- backup_user (default OST user)
- UI admin password
- CIFS admin password, if enabled
In addition, Cloud Tier and Archive Tier need passphrases at the time of creation of the storage groups. These passphrases must be treated like passwords from security and strength standpoint. |
5 |
Default port settings and firewall settings |
Quest recommends disabling the network ports that are not needed for customer use cases.
- Quest recommends enabling just the following ports: 9443 (secure connect), 22 (SSH) and 5233 (HTTPS)
- Quest recommends disabling the following ports unless the customer is using the specific functionality: 80 (HTTP), 9000 (S3 objects), 12000-12127 (RDA-NDMP), 9920, 10011, 11000 (OST/RDA without secure connect), 9904, 9911, 9915, 9916 (Replication), 111, 2049 (NFS), 138, 139, 445 (CIFS), 10000, 43000-43040 (NDMP) and 3260 (iSCSI)
- Customers can enable or disable ports using system firewall configuration. Alternatively, customers can use fw_config, a script provided by QoreStor, to manage the port settings. Below are some commands to open ports using fw_config:
To limit the set of open ports to a minimum set
{This implicitly includes the UI port and ssh which is enabled by the OS) |
/opt/qorestor/bin/fw_config -c sc |
To enable ports used for RDCIFS or CIFS |
/opt/qorestor/bin/fw_config -c sc,cifs |
To enable ports used for RDNFS or NFS |
/opt/qorestor/bin/fw_config -c sc,nfs |
To enable ports used for the object container |
/opt/qorestor/bin/fw_config -c sc,object |
To enable ports used for replication from a DR Appliance to the QoreStor server |
/opt/qorestor/bin/fw_config -c sc,oca |
To enable ports used for iSCSI |
/opt/qorestor/bin/fw_config -c sc,iscsi |
To enable ports used for VTL NDMP |
/opt/qorestor/bin/fw_config -c sc,ndmp |
|
NOTE: Ports can be combined if needed. For example, to enable ports for replication from a DR, and RDCIFS, you would use:
/opt/qorestor/bin/fw_config -c sc,cifs,oca | |
6 |
AWS least privileges |
As a general rule, enable only the least set of permissions needed to perform operations on cloud objects.
- Bucket policies: Quest recommends setting RW permissions to users within the account and not give permissions to users outside the account.
- IAM Policies: Batch and Lambda operations use IAM policies to manage access and permissions. Please refer to the QoreStor User Guide for sample policies.
|
7 |
Azure and other SPs least privileges and |
As a general rule, enable only the least set of permissions needed to perform operations on cloud objects. For storage buckets, Quest recommends setting RW permissions to users within the account and not give permissions to users outside the account |
8 |
Network Security Group (NSG) port settings for Azure market place images |
Please refer to Azure market pace deployment guide for recommended NSG settings |
9 |
UI log-in attempts |
Quest recommends monitoring login attempts from UI using events. This will be useful to detect unauthorized login attempts to QoreStor via the UI. Refer to user guide for instructions on event monitoring. |
10 |
Users logged intoQoreStor |
Monitor local users logged into the QoreStor server. Super users can check /var/log/secure for shell logins. |
11 |
Access to external CIFS/NFS shares |
Quest recommends restricting access to CIFS/NFS shares based on IP white-listing. Check QoreStor events for mount access to the shares. |
12 |
Encryption at rest and replication channel encryption |
Quest recommends encryption at rest and encryption of in-flight data (replication channel) using internal keys and SHA256 to secure the backup data. Please refer to the user guide for instructions on how to enable them |
13 |
RDA immutability |
QoreStor version 7.1 and later offers enhanced security using RDA Immutability, which is under integration by DMAs. Please refer to user guide for details on the feature and instructions to enable it. |
14 |
Recycle Bin |
QoreStor version 7.1 and later offers protection against ransomware attacks with Recycle Bin. Please refer to user guide for details on the feature and instructions to enable it. |