In this article you will find a list of the tips on how to secure your server powered by Open-E JovianDSS from hackers. As you may have learned from one of the previous articles: Data security risks and Open-E JovianDSS countermeasures, many threats may endanger the security of your data. On the other hand, there are proven solutions that will help you protect your data from harm’s way to avoid the fate of Colonial Pipeline that was recently forced to pay 5 million dollars in ransom for their data.
The following table presents the protective measures that can be used in Open-E JovianDSS:
Optionally protected by a password
Remote access only via SSH (encryption + login with a password)
Restricted IP address
Login with a password
Possibility to upload own HTTPS certificate
Command Line Interface
Access only via SSH (encryption + login with a password)
Access only via HTTPS
Login with a password
Restricted IP address for Read/Write and Read Only access
User authentication by login with a password,
Blocked possibility to list available resources
Access Control List (ACL) support
Restricted IP address
CHAP User Authentication
Mutual CHAP User Authentication
Restricted WWNs have access to the target
Basics of Data Security
It may sound simple, but not many of us remember this rule: set up a strong password to access all parts of your infrastructure on every possible level, including GUI and TUI – protect it with a strong password to avoid the easiest way to hack your system. And remember: admin/admin is never an option.
Restricted IP Address
Additionally, set a list of IP addresses that can access your Open-E JovianDSS system. It’s pure and simple – if the given IP address is not on the allowed users’ list, the machine with this particular IP address will have no access to the system.
Another layer of security is using the HTTPS certificate. You can either use the one generated by default called a “self-signed certificate” or use a custom one. The latter allows you to upload your private key together with a certificate. To put it simply, a custom certificate is a certificate that is signed by a Certificate Authority (CA) or self-generated. To replace the self-signed default certificate with your own, you have to add files with a private key and a certificate. Currently, we support RSA (Rivest–Shamir–Adleman) or ECC (Elliptic Curve Cryptography) cryptosystems. The following should be considered:
For the RSA encryption, an applicable private key should be at least 2048 bits long.
For the ECC method, only keys based on the following curves are supported:
P-256 (also known as secp256r1 or prime256v1)
P-384 (also known as secp384r1)
Secure Shell Protocol (SSH)
SSH is a cryptographic network protocol used for operating network services in a secure way over an unprotected network. It provides a secure channel in an unprotected network by using client-server architecture, that is, an SSH client application is connected to an SSH server.
It is a basic authentication mechanism that has been widely used by network devices and hosts. CHAP provides a way for initiators and targets to authenticate each other with a code or password. Usually, CHAP codes are random, ranging from 12 to 128 characters. It should be noted that the code is never exchanged directly over the network. Instead, a function converts it into a hash value that is subsequently exchanged. Using the MD5 algorithm, the hash function transforms data in a way that results in unique code that cannot be reverted to its original form.
In case when an initiator requires reverse CHAP authentication, the initiator authenticates the target simply by using the same procedure as described above. The CHAP secret has to be configured on the target and the initiator. A CHAP entry containing the name of the node and the code associated with the note is maintained by the target and the initiator.
In a mutual CHAP authentication scenario, the same steps are processed. Once they are completed, the initiator authenticates the given target. Once both authentication steps are successful, data access is permitted.
World Wide Names (WWN)
A World wide name is a vendor-supplied, 64-bit unique identifier number that is assigned to nodes and ports. The Fibre Channel (FC) environment uses two types of WWNs: World Wide Node Name (WWNN) and World Wide Port Name (WWPN). A WWN has a static name on each device as well as on an FC network.
But even with the best security policies, you have to be always ready for the unexpected. So if everything else fails, you need to have access to the very recent copy of your data.
Open-E JovianDSS is equipped with functionality that creates snapshots very frequently and you can manage this frequency to adjust it to your company requirements. Instant access to this data allows you to roll back to the state before a virus attack. Thus, in case of a ransomware attack, all your data stays safe.
On- and Off-site Data Protection
If you require additional protection, then this is an option you should consider. With On- and Off-site data protection, you can back up your data on backup servers, similar to the way snapshots were used. This way, you are protected against ransomware and other malicious events. You can access your old data and retrieve it in case of a virus or ransomware attack.
In this article, we have discussed some of the methods used to protect your data from hackers. Setting up a strong password is the most essential option to protect your system against external threats, but it’s just a first step in an ongoing battle against cybercriminals. Stay safe and protected!