- What is your experience, and setup, for a public OOD instance?
OSC OOD instance and Keycloak are all on what is essentially a DMZ network, the only firewall between those instances and internet is iptables but port 443 is pretty much wide open except a few bad actor denials we maintain.
- When making Keycloak public what additional security measures, to the base installation, did you make?
We don’t do much, just protect with SSL behind Apache and Keycloak itself only listens on localhost and is served up by Apache. We enable Duo so some users and most staff are required to use two factor authentication.
- When making OOD public what additional security measures, to the base installation, did you make?
Just using SSL and only authenticates with Keycloak.
- Is there any additional hardening that you did on the host OS?
No one can log into the VMs via SSH but a select number of staff, this is handled by pam_access. The only ports open through iptables are what’s absolutely necessary like port 443. Port 22 is only open to OSC bastion servers which are our points of entry into all other systems and those bastion hosts require Duo two factor authentication. We use Puppet to avoid rogue config changes opening things up and also ensuring any rogue firewall rules or sudo entries are deleted if not defined in Puppet.
- Are you using selinux on the keycloak or OOD server?
We don’t use SELinux.
- Do you have any advice or recommendations?
If you can sure up the applications and host security so you are certain the only people who can log in are your staff and users, then next thing is ensuring users have to change passwords on regular basis and have some amount of complexity to those passwords. You can’t always prevent users from getting hacked if they use password known to the internet due to data breaches so just have to ensure if a user’s account is compromised, they are the only people affected. We require users to change passwords every 180 days and can’t reuse passwords. Staff have to change passwords every 90 days and can’t reuse passwords.
@jeff.ohrstrom - We are not behind any F5 equipment, our VMs are pretty much on the internet with nothing between the VM and internet. At some point in the future we will go behind Juniper SRX firewalls but that’s a ways down the road.