To harden your environment, ensure that openssl is up to date and does not include the heartbleed exploit:
1. Run rpm -q openssl from the Terminal to check what version of openssl is currently installed on the Mobility Suite. The expected result should appear in the following format:
openssl-1.0.1e-16.el6_5.15.x86_64
2. If the Terminal output displays anything below openssl-1.0.1e-16.el6_5.7.x86_64, then the following command will need to be run for openssl to be upgraded:
yum -y update openssl
3. Run the rpm -q openssl command again from the Terminal to check the installed openssl package version again. Ensure that the version displayed appears higher than openssl-1.0.1e-16.el6_5.7.x86_64. An example of an update to date version of the openssl package is as follows:
openssl-1.0.1e-30.el6_6.5.x86_64
Source: http://wiki.centos.org/Security/Heartbleed
Open the ports necessary for Mobility Suite's proper function:
A script which performs these steps automatically and modifies iptables to allow all the ports necessary for use with Mobility Suite has been attached to this article as 'HardenMobilitySuite.sh_.zip'. The script's permissions may need to be modified before it can be run after it has been uncompressed. In order to uncompress, qualify the script for use, and execute it the following commands need to be run from the Terminal in the directory where the script is located:
yum -y install unzip
unzip HardenMobilitySuite.sh_.zip -d ~
cd ~
chmod +x HardenMobilitySuite.sh
./HardenMobilitySuite.sh
For reference, the contents of the attached 'HardenMobilitySuite.sh' script has been included below:
#!/usr/bin/env bash
echo "Updating openssl to ensure there is no vulnerability to the heartbleed exploit."
#Updates openssl
yum update -y openssl
echo "Making firewall exceptions for the ports needed to be used by Mobility Suite."
#Makes port exceptions for our product
/sbin/iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 5672 -j ACCEPT
/sbin/iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 15672 -j ACCEPT
/sbin/iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 35197 -j ACCEPT
/sbin/iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 4369 -j ACCEPT
/sbin/iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 45000:45010 -j ACCEPT
/sbin/iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
/sbin/iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 2195 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 2196 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
/sbin/iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 8000 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 8000 -j ACCEPT
/sbin/iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 68 -j ACCEPT
/sbin/iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 587 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m udp -p udp --dport 67 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m udp -p udp --dport 3306 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 35197 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 4369 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 45000:45010 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 15672 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 5672 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
/sbin/iptables -I OUTPUT -m state --state NEW -m udp -p udp --dport 1521 -j ACCEPT
echo "Saving the changes to the firewall."
#Saving the changes made to iptables
/etc/init.d/iptables save
chkconfig iptables on
/etc/init.d/iptables restart
/sbin/iptables -L -v -n
echo "+------------------------------------------------------------------+"
echo "|Congratulations!!! Your server is now hardened for Mobility Suite!|"
echo "+------------------------------------------------------------------+
See http://www.symantec.com/docs/HOWTO100354 for instructions on permitting access to the necessary FQDN's for use with Mobility Suite.
See http://www.symantec.com/docs/HOWTO98546 for instructions on permitting access to the necessary ports and IP address range for use with Mobility Suite's iOS device communication.
See http://www.symantec.com/docs/HOWTO94496 for a list of ports needed for the various services and environmental options that can or will be employed by Mobility Suite.
See http://www.symantec.com/docs/HOWTO100093 for the list of ports required for RabbitMQ Cluster communication for use with Mobility Suite.
See http://www.symantec.com/docs/HOWTO110235 for the list of commands to run in the Terminal to add firewall exceptions for ports needed by Mobility Suite.
This connect article was compiled from information listed in HOWTO110230.