Tightening and hardening security on Webconfig
Webconfig comes by default with just enough security to allow the manipulation of ClearOS from most web browsers without additional costs. This exchange of security for convenience does not always have to be present. The following guide will help you tighten Webconfig so that you reduce risk or so you can pass compliance tests related to the ports and services which the web interface provides.
The simple thing
The simplest way to shore up Webconfig from outside attack is to shut down the port after your install. Webconfig is made to be available for the entire web-based install but after you are done you can remove the open port by accessing the incoming firewall rules module Network » Firewall » Incoming and deleting the open port.
This will cause Webconfig to no longer be open on 'External' interfaces when using Gateway mode or 'Standalone mode with firewall'. For those with internal interfaces on a LAN, you can still access the Webconfig interface. If you need to have a way to access Webconfig on an External interface from time to time or on a permanent but more secure basis, read on…
Certificate and web services
One way to increase the robustness of the web interface would be to apply a CA-signed certificate to your server and to update the web services to required better security. This will often cost money or make Webconfig less compatible with other browsers.
Accessing Webconfig through SSH
Several tools exist to harden ClearOS with SSH including the ability to move the port, require certificate-based login, or even monitoring the port for unauthorized users and blocking them (Intrusion Prevention and Attack Detector).
By using SSH, you can then access Webconfig through a few ways.
A text based browser exists in the repos which can be used to access Webconfig while logged in via SSH through a terminal. To install this browser, run the following from command line:
yum --enablerepo=clearos-centos install lynx
From this program you can access webconfig via command line:
Many things in Webconfig won't work well through this browser. But you should be able to add the incoming firewall temporarily or if you can make your change there, then just do it.
You can also just create a tunnel from your local machine to ClearOS. From terminal on Mac or command line on Linux run something similar to the following:
ssh -p 22 email@example.com -L 81:localhost:81
This command will log into your ClearOS server on port 22 and then remap your local workstation's port 81 to port 81 on the ClearOS server from behind the firewall.
For PuTTY or other programs, consult their userguides for creating tunnels in this manner.
From command line you can alternately access the iptables stack to add a firewall rule to permit access to your box. You can create the initial rule in Webconfig using the Custom Firewall App and then disable the rule. Then from command line, you can modify the /etc/clearos/firewall.d/custom file and remove the comment which disables the firewall. Then run:
service firewall restart
Alternately, you can just issue the command from the command line but this can lock you out anytime the ClearOS server reloads the table, which can happen when you make changes or even by ClearOS' internal process.
VPN is another way to have access to the management of the ClearOS Webconfig service without having it open on the outside. If the VPN isn't working, use the SSH as a backup method.
If you have multiple people that need to manipulate ClearOS through the web interface, consider using Administrators in order to accomplish this. This will only give them access to the parts of ClearOS that the group to which they are a member has rights.