Posts

Showing posts from March, 2017

Securing Openshift Origin Nodes

Background We have deployed Openshift Origin based cluster based on  Origin Milestone 4 release. When security assessment performed on several of the applications in the cluster, some issues crop up and needs further remediation. Some issue related to application code, some others related to the openshift node configuration, which we shall discuss here. SSH issues One of the issues is SSH weak algorithm support. To remediate that, we need to tweak /etc/sshd/sshd_config by inserting additional lines : #mitigasi assesment security SSH weak algoritm support Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com SSL issues The other issue is related to SSL crypto algorithms. The cipher suite 3DES is no longer considered secure, so  we need to tweak /etc/httpd/conf.d/000001_openshift_origin_node.conf (line 63) by adding   !3DES:!DES-CBC3-SHA  : SSLCipherSuite kEECDH: +kEECDH+ SHA :kEDH :+kEDH+SHA :+kEDH+CAMELLIA :kECD