Category: infrastructure

Posted on

Set password policy for VMware Linux appliances

The point of changing passwords regularly is debatable. I think that forcing users to assign a new password every x days, which must be very different from the previous one, is counterproductive. But that’s another topic.

The scenario I want to talk about looks like this: a non-production lab environment where the password always expires when you have more important things to do. Appliance xy gives me the virtual middle finger and forces me to enter a new password, which must contain at least 5 special Klingon characters. Grrr! This is a non-productive lab and I use the same password for all – yes, all – services and logins. It’s about feasibility – not security.

Before anyone gets me wrong: 
Yes, in production that would be a very stupid idea.

Password Expiration

The first step is to set the password expiry time to zero (caution! not for VCF!) or a very long period of time. By default, I set 9000 days here. That’s the equivalent of about 24 years and 7 months. That should be enough πŸ˜‰

Often this value cannot be configured in the GUI. Then the CLI is required. In most Linux variants, the setting is hidden in a configuration file called login.defs. We can make a quick query on the shell.

cat /etc/login.defs | grep PASS

PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7

Voila! PASS_MAX_DAYS is our password expiration time.

We have to use vi in order to make changes, as other editors are rarely available in these systems. But don’t be scared of vi. It’s actually quite nice. πŸ™‚ We open the configuration file with:

vi /etc/login.defs

Now keep calm and just press the i key (for insert). Now look for the line with PASS_MAX_DAYS and change the value to 9000, for example. If you wish, you can also set the minimum age PASS_MIN_DAYS to 0. This allows the password to be changed again without waiting.

To save our changes, press the ESC key and then the key with the colon. A colon appears at the bottom left, indicating that we are in command mode. We enter the characters wq (write, quit) and press Enter.

Special case NSX-T with VCF

The expiry time of the predefined accounts admin, root and audit under NSX-T are set on the shell of the NSX manager with a separate command. To do this, you connect to the virtual IP (VIP) of the management cluster via SSH and you’ll be forwarded to the current master node.

To set the expiry time of the three accounts to 9000 days, enter the following three commands:

set user admin password-expiration 9000
set user root password-expiration 9000
set user audit password-expiration 9000

In NSX-T environments without VCF, the password expiry times may be completely deactivated.

Attention! With NSX-T in conjunction with VCF, however, this leads to problems during the upgrade. For the sake of completeness, here are the commands for deactivation:

clear user admin password-expiration
clear user root password-expiration
clear user audit password-expiration

Control

The expiry time in NSX-T can be queried with these commands:

get user admin password-expiration
get user root password-expiration
get user audit password-expiration

Password History

Normally the above changes are sufficient. However, if we have missed the expiration date and had to set a new password when logging in, we cannot switch back to our old password. The system remembers a defined number of recent passwords and does not allow recycling. But we can change this too. In many Linux variants, there is a daemon for pluggable authentication modules (pam.d). The configuration is located under /etc/pam.d/common-password. Systems with root access can also have the configuration in /etc/pam.d/system-password instead.

vi /etc/pam.d/system-password

Here I set the value remember=0. This allows the desired password to be reset immediately. As root user, the command on the shell is sufficient:

passwd

Posted on

ExaGrid Time-Lock – Who’s (still) afraid of ransomware?

Introduction

Ransomware currently represents one of the most prominent threats to IT infrastructures. Reports of successful attacks are accumulating, the attacks are getting closer. More than 30% of all companies, institutes, universities or public authorities in Germany have already dealt with such attacks. In some cases, a ransom was paid to get access to their own data again.

Even with payment, success is never certain. After all, one negotiates with criminals. Authorities therefore advise against payment.

The essential protective measure against the consequences of such an attack is an up-to-date and consistent backup.

Ransomware vs. Backup

Unfortunately, attackers also know about the importance of backups. The currently circulating malware, such as Emotet or Ryuk, contain code that actively searches for backups on the net. Using previously obtained access data for Active Directory accounts or by attacking via RDP exploits or using the brand-new Zerologon exploit an attempt could be made to take over the systems that operate the data backup in the company or hold the backup data.

The automatic attack is often followed by hackers in the flesh who actively browse the net and try to destroy all backups. This is often an easy task, since backups today are preferably held on hard disk systems, permanently connected to the infrastructure.

The reason is obvious: If all backups are deleted or also encrypted, the compliance of the “customer” to pay his ransom increases by far.

Many approaches have therefore already been conceived to store the backup data out of reach of an attacker. A very simple and secure variant is an Air-Gap – a physical separation of the backup media from the system. For example, LTO tapes can be physically removed from the library.

Without this kind of time-consuming manual extraction – which would also have to be performed daily – the data remains latently vulnerable. It doesn’t matter whether it is stored on disk systems, dedup appliances, tapes in a library or even in an S3 cloud repository.

S3 cloud providers have therefore proposed an API extension called “Immutability” some time ago. With this, at least the backups in the cloud layer can be made immune to changes for a certain time.

Some of these solutions are natively supported by Veeam. Amazon AWS is one of them. Microsoft Azure is currently still missing. Furthermore S3 memory is not suitable for every application. A primary backup with Veeam on S3 is for example not directly possible. The S3 layer is only available as an extension of a scale-out backup repository.

Continue reading “ExaGrid Time-Lock – Who’s (still) afraid of ransomware?”
Posted on

Veeam Storage Plugin for DataCore – Deepdive

Any questions, remarks or additions: melter[at]idicos.de

SANsymphony meets Veeam Backup and Replication – true love in the end!

In December 2019 the plugin for the popular DataCore SANsymphony SDS was finally released. And it is done in the only proper way: With full support and validation by Veeam.

In this article series we will cover several aspects of the plugin:

Continue reading “Veeam Storage Plugin for DataCore – Deepdive”
Pages: 1 2 3 4 5 6
Posted on

Storage 101- The Synchronous Mirror Dilemma

A brief introduction into High Availabilty

Keeping data identical at two locations is becoming increasingly important in a highly available IT world. A couple of years back in time it used to be an expensive enterprise level luxury. But recently that demand can be found in SMB environments too. The method is called mirroring which can be implemented in two ways.

  • Asynchronous – Data is being synchronized in defined intervals. In between there is a difference (delta) between source and target.
  • Synchronous – Data transfer is transaction consistent. I.e. the data is identical on both sides at all times. A write operation is only considered complete when source and target site have confirmed the write.

A prerequisite for high availability is mirroring of data (synchronous or asynchronous). If the data is available at two locations (data centers), a further design question arises: Should the storage target act as a fallback copy in case of emergency (Active-Passive), or should the data be actively used in both locations (Active-Active)?

  • Active-Passive – Only the active side works and data is transferred to the passive side (synchronous or asynchronous). In case of a failiure, the system switches automatically or manually and the previously passive side becomes active. It remains so until a failback is triggered. This method guarantees full performance even in the event of a total site failure. Resources must be equal on both sides. The disadvantage is that only a maximum of 50% of the total resources may be used.
  • Active-Active – Resources of both sides can be used in parallel and the hardware is utilized more efficiently. However, this means that in the event of a failure, half of the resources are lost and full performance cannot be guaranteed. Active-Active designs require a synchronous mirror, as both sides have to work with identical data.

Active-Active clusters do exist in many different forms. There’s classic SAN storage with integrated mirroring, or software defined storage (sds) where the mirroring is not in hardware but in the software layer. One example is DataCore SANsymphony. VMware vSAN Stretched Cluster plays a special role and will not be covered in this post.

In the following section I will discuss a special pitfall of LUN based active-active constructs, which is often neglected, but can lead to data loss in case of an error. VMware vSAN is not affected because its stretched cluster is based on a different design which prevents the following issue.

Continue reading “Storage 101- The Synchronous Mirror Dilemma”