In March, in a blog post by their Chief Security Information Officer, Citrix notified the public about potential unauthorized access to their internal network. The FBI believes that the hackers used a technique known as “password spraying”, attempting to gain access by trying a few commonly used passwords, with many different usernames. With more customers exposing their Leostream environments to the internet, what can be done to protect your Broker from unauthorized logins?
The first thing to consider is do you need Leostream to be accessible publicly? If you have remote users logging in then the answer is probably yes. If, however, your users are only accessing Leostream on the internal network then there’s no reason to expose the Broker to the public internet in the first place!
If you have users logging into Leostream from the internet, what can you do to secure Leostream to protect against hackers?
Multi-factor authentication (MFA) requires users to prove their identity through another system in addition to the standard username and password credentials. Leostream is working hard to bring MFA integrations into our software suite moving forward, and as of today, we include support for RADIUS servers, as well as Duo Security which allows users to verify login attempts from a smartphone application. In the future, we plan to offer Google Authenticator support as well.
The Leostream Gateway provides a few features to enhance security. The first is Broker URL forwarding, which allows organizations to expose only the Gateway publicly, which will handle the web traffic for the Broker, without needing to expose the Broker appliance itself. The Leostream Gateway can also forward display protocol traffic for your end users, so you can keep your host machines off of the public internet and when a user requests a connection it will be routed through the Leostream Gateway to that end user.
Putting the Leostream appliances behind strict firewalls is a good way to limit access to the underlying operating systems, and prevent things like SSH logins from unauthorized locations or networks.
Disabling the Default Admin Account
The Leostream Broker ships with a default account named ‘admin’. Typically during an intrusion attempt the hackers will attempt to gain access by using common usernames such as admin or root. With Leostream 9 we have provided the ability for organizations to disable the default admin account outright, or rename it with any desired username.
The Leostream 9 Broker also employs rate limiting of login requests and a backoff algorithm by default. This prevents hackers from spamming your Broker with login attempts by rejecting the requests after just three consecutive login attempts. By default the Broker will throttle these logins by user name combined with source IP, but organizations can configure this behavior on the System>Settings page. The rate limiting of login attempts can be used to thwart internal bad actors (that might already know the administrator username they are trying to gain access with), as well as external hackers.
Setting Authorized Locations in the Broker
The Broker has a built-in concept of client locations, which can be used to limit access from only authorized networks. Using client locations as well as strict assignment rules can prevent users from logging into the Broker from unrecognized locations, or unknown networks.
Authentication Server Password Policies
Since Leostream integrates with your organization’s authentication server, such as Active Directory, you can utilize the built-in password policy options for the authentication server. Forcing users to create more complex passwords with a minimum allowed length will make it less likely that a hacker would be able to guess the user’s password.