[ixpmanager-announce] [RELEASE] v6.3.0 - Security hardening, with various improvements and bug fixes
Barry O'Donovan (INEX)
barry.odonovan at inex.ie
Wed Nov 2 11:57:17 GMT 2022
We are pleased to announce the immediate availability of IXP Manager v6.3.0.
A commercial IT consultancy provider uses IXP Manager in one of their
solutions. They had their overall solution reviewed by an
internationally respected cyber security and risk assessor. This review
included IXP Manager and the commercial IT consultancy responsibly
disclosed all of the issues and advice related to IXP Manager to us.
These have been addressed in this release and are itemised via the URL
below. We recommend all IXPs that use IXP Manager upgrade to this new
version.
We thank the IT consultancy, and those within it whom we have been
dealing with, for sharing the findings with us.
Full details are available at:
https://github.com/inex/IXP-Manager/releases/tag/v6.3.0
Additional note regarding the security updates:
For the most part, these relate to the trade-off between user friendly /
assumed user intelligence behaviors versus security best practices. We
should of course strive towards security best practices in the modern
cyber-security era. Much of what was reported relates to hardening the
system and reduce avenues for brute force attacks (e.g. username
discovery via iteration and then brute force access via use of
simplistic passwords).
Our general advice for user accounts with superuser privileges (i.e.
priv level 3 / IXP staff) is:
* Enforce 2fa for admin users - see
https://docs.ixpmanager.org/usage/authentication/#two-factor-authentication-2fa
* Ensure all admin users are trained in basic account security /
cyber-security best practices.
* Ensure all admin users user a secure password (now enforced for new
passwords).
* Ideally, you should be using a secure password manager and not
repeating passwords across different sites.
* Ensure SSL is enabled and enforced for your IXP Manager installation
with a signed certificate.
Thanks,
- Barry
--
Kind regards,
Barry O'Donovan
More information about the ixpmanager-announce
mailing list