Here is a collection of steps one might take when hardening an OP5 Monitor setup. This article is not an exhaustive list of steps, but a constant work in process.
Enable Merlin encryption
Starting with version 8.2.0 of OP5 Monitor, we can encrypt the communication between Merlin nodes on an opt-in basis. See the documentation below:
https://docs.itrsgroup.com/docs/op5-monitor/current/topics/install/set-up-encrypted-merlin.html
Remove "test this check" permissions from groups that don't need it
The "test this check" functionality can provide a potential attack surface and should be limited only to the users that need it.
Go to Manage > Configure > Group rights and disable the following categories for users that shouldn't have these permissions:
- Host > Test This Host
- Service > Test This Service
- Command > Test This Command
Disallow dangerous characters in "test this check"
To make "test this check" more secure for the users that need to run it, you may want to prohibit these users from using dangerous characters.
Go to Manage > Configure > Group rights and enable the category:
- Misc > Disallow Dangerous Characters
Install a signed SSL certificate
You can follow this guide to install a new certificate from a proper certificate authority:
Disable non-encrypted SNMP versions
SNMPv3 has support for secure authentication as well as encrypted data transfer. Disable versions 1 and 2c which do not.
Change /etc/snmp/snmpd.conf to comment out the relevant lines:
#com2sec notConfigUser default securestring
#group notConfigGroup v1notConfigUser
#group notConfigGroup v2cnotConfigUser
Then restart snmpd.
Comments
0 comments
Please sign in to leave a comment.