RabbitMQ hardening - I could use some input from you :)
954 views
Skip to first unread message
reijin
Sep 25, 2015, 10:03:46 AM9/25/15
to rabbitmq-users
Dear all,
I'm currently in the process of creating a hardening guide for rabbitMQ. Since I'm not an absolute professional, I'd like to hear some ideas and opinions as to which things to add.
So far here is what I included:
- change permissions for /var/log/rabbitmq to 750 (so far no bugs/problems uncovered with that setting)
- Turn off not needed plugins
- Do host OS hardening
- enable SSL (and limit SSL/TLS versions - because of POODLE Beast)
- Enable logging and analyze logs
- network separation for RabbitMQ infrastructure (e.g. separate management access from messages)
- password security
- what about default accounts that should be disabled?
- do you have other ideas or inputs?
Thanks for your attention! I'm looking forward to your ideas.
reijin
Michael Klishin
Sep 25, 2015, 10:29:03 AM9/25/15
to rabbitm...@googlegroups.com
Definitely create a separate admin user and delete guest/guest. Other ideas are sound.
Our docs list the ports used by RabbitMQ,
so you can restrict inbound connections to those.
RabbitMQ disables SSLv3 by default but you may choose to also disable TLSv1.0.
Finally, there is a fine grained permission system and several authentication mechanisms available.
MK
Our docs list the ports used by RabbitMQ,
so you can restrict inbound connections to those.
RabbitMQ disables SSLv3 by default but you may choose to also disable TLSv1.0.
Finally, there is a fine grained permission system and several authentication mechanisms available.
MK
reijin
Sep 25, 2015, 10:41:32 AM9/25/15
to rabbitmq-users
thanks!
On Friday, September 25, 2015 at 4:29:03 PM UTC+2, Michael Klishin wrote:
Definitely create a separate admin user and delete guest/guest. Other ideas are sound.
With admin user and guest/guest you mean the ones provided by the management web interface, right?
To delete the user or change the password one would use: https://www.rabbitmq.com/man/rabbitmqctl.1.man.html#delete_user (if someone is interested)
Our docs list the ports used by RabbitMQ,
so you can restrict inbound connections to those.
Good thinking. I will look into it.
RabbitMQ disables SSLv3 by default but you may choose to also disable TLSv1.0.
Yep, I saw that in https://www.rabbitmq.com/ssl.html --> very helpful
Finally, there is a fine grained permission system and several authentication mechanisms available.
Do you mean file permissions? Can you lead me to some document? I was unable to find more details on this.
Michael Klishin
Sep 25, 2015, 10:49:04 AM9/25/15
to rabbitm...@googlegroups.com
It is not provided by management UI but used to access it, so we are likely talking about the same thing.
guest/guest is created automatically during first node boot.
guest/guest is created automatically during first node boot.
Big6Consultant HLA
Jun 23, 2016, 10:04:43 AM6/23/16
to rabbitmq-users
Has there been any progress on a hardening guide to meet NIST SP 800-53?
Michael Klishin
Jun 23, 2016, 5:44:18 PM6/23/16
to rabbitm...@googlegroups.com
Probably not. The only possibly relevant change is the switch to SHA-256 by default for password
hashing and opt-in SHA-512 support out of the box: http://www.rabbitmq.com/passwords.html.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
MK
Staff Software Engineer, Pivotal/RabbitMQ
Reply all
Reply to author
Forward
0 new messages