Security Check and Hardening
Security check and hardening protect the system and network against problems such as hacker attacks, data leakage, and system breakdown. In addition, they can meet regulatory compliance requirements and protect user privacy and information security.
Product |
Security Check and Hardening |
|---|---|
KBest |
Routine check using antivirus software, buffer overflow prevention, vulnerability fixing, and SSH hardening. |
KScaNN |
|
KVecTurbo |
|
KNewPfordelta |
|
faiss |
|
hnswlib |
|
Elasticsearch |
Routine check using antivirus software, vulnerability fixing, and SSH hardening. |
Routine Check Using Antivirus Software
This is applicable to all the features.
Periodically scan components using antivirus software. This protects components from viruses, malicious code, spyware, and malicious programs, reducing risks such as system breakdown and information leakage. Mainstream antivirus software can be used for antivirus check.
Buffer Overflow Prevention
This is applicable to all features except Elasticsearch.
To prevent buffer overflow attacks, you are advised to use the address space layout randomization (ASLR) technology to randomize the layout of linear areas such as the heap, stack, and shared library mapping to make it more difficult for attackers to predict target addresses and locate code. This technology can be applied to heaps, stacks, and memory mapping areas (mmap base addresses, shared libraries, and vDSO pages).
Run the following command to enable this function:
echo 2 >/proc/sys/kernel/randomize_va_space
Vulnerability Fixing
This is applicable to all the features.
To ensure the security of the production environment and reduce the risk of attacks, enable the firewall and periodically fix the following vulnerabilities:
- OS vulnerabilities
- JDK vulnerabilities
- OpenSSL vulnerabilities
- Vulnerabilities in other components
The following uses CVE-2021-37137 as an example.
Vulnerability description:
Netty version 4.1.17 is subject to a security advisory regarding the potential confusion of two Content-Length HTTP headers. The vulnerability ID is CVE-2021-37137.
The system uses the hdfs-ceph (version 3.2.0) service as the storage object with decoupled storage and compute. This service depends on aws-java-sdk-bundle-1.11.375.jar and involves this vulnerability. You are advised to apply the latest security patch promptly to prevent hacker attacks.
Affected versions:
Netty 4.1.68 and earlier versions
Remediation:
The vendor has released an upgrade patch to fix the vulnerability. For details, visit GitHub.
SSH Hardening
This is applicable to all the features.
During the installation and deployment, you need to connect to the server through SSH. The root user has administrative privileges. Logging in to the server as the root user may pose security risks. You are advised to log in to the server as a non-privileged user for installation and deployment tasks, and disable SSH login for the root user to enhance system security. The procedure is as follows:
Log in to the server and check the PermitRootLogin configuration item in /etc/ssh/sshd_config.
- If the value is no, SSH login for the root user is disabled.
- If the value is yes, change it to no.