This is a guideline to walk you through the NSC - Nodegrid Serial Console's configuration pages to enable advanced security features (secure mode), assuming the start point of the configuration is the factory default.
Step 1 - Change Default Administrative users' password
- from a browser, log in as admin to the NSC web
- click on the user (admin@nodegrid) on top right hand side of the page.
- then click on 'Change Password'
- enter the current password and the new password. Save.
- log out and log in back as admin to continue the other settings.
NOTE: You should also change root's password. Login to NSC (ssh root@<IP>) and execute 'passwd root' command. You can also change admin's password using similar command. Just execute 'passwd admin' command.
Step 2 - Services
Go to Security :: Services page.
Have the following parameters unchecked:
- Enable detection of USB devicesEnable detection of USB devices
- Enable RPC
- Enable FTP Service
- Enable SNMP Service
- Enable Telnet Service to Nodegrid
- Enable Telnet Service to Managed Devices
- Enable ICMP echo reply
- SSH Allow root access
- Enable Automatic Cloud Enrollment
- Enable VM Serial access
- Enable Zero Touch Provisioning
- Enable PXE (Preboot eXecution Environment)
- Enable Autodiscovery
- Enable HTTP access
- Redirect HTTP to HTTPS
Have the following parameters checked:
- Enable Automatic Cloud Enrollment (if you want to cluster multiple NSC devices)
- Enable VM Serial access (if you want to access virtual machines)
- Enable Zero Touch Provisioning (if you want to allow push configuration)
- Enable PXE (Preboot eXecution Environment) (if you want to allow recovering firmware via PXE)
- Device access enforced via user group authorization (if you want to use access rights and roles via authorization)
- Enable HTTPS access
- High Cipher Suite Level
Step 3 - Authentication / Local Users
Go to Security :: Authentication page.
- set the desired Authentication Type.
- if a Remote Authentication Server (Kerberos, LDAP/AD, Radius, Tacacs+) is selected, fill out the necessary parameters for that Server.
- if Local Authentication is selected, then go to Security :: Local Accounts to add local users.
Step 4 - Authorization
Go to Security :: Authorization page.
- add New Authorization Groups.
- click on the new Group and Add Members. Save.
- go to Profile tab and set the Group Permissions. Save.
- go to Devices tab and add Devices to Manage by moving them from the left list to the right list. Set the necessary/desired Device Permissions. Save.
Step 5 - Network
Go to Network :: Connections page.
- click on 'hotspot'.
- uncheck 'Connect Automatically'.
Step 6 - Serial Ports
Go to Managed Devices page.
- select all ttyS ports by checking the first checkbox on the left hand side.
- click on Edit button.
- set mode to Enabled.
- uncheck 'Allow Telnet protocol'.
Step 7 - Firewall
Go to Security :: Firewall
- select the Chain you want to add firewall rules to.
- add rules according to your needs / security policies.
- repeat for other Chains, if required.
Step 8 - System Configuration Checksum
Go to System :: ToolKit page.
- click on System Configuration Checksum button.
- select the Checksum Type: MD5SUM or SHA256SUM
- then select 'Create a checksum baseline of the current system configuration'
- then time to time, compare the current configuration with the baseline, to check if there were any unauthorized changes since last time.