This is part one of a two part series on hardening an Autopsy Multi-user Cluster. The Autopsy documentation states, "A multi-user deployment must be in a private network to ensure that only authorized users can access data. Remote sites should connect to central services via a VPN." This does not mean we should not harden Autopsy further. In this series, we will go over some additional steps that can be taken to make an Autopsy Multi-user Cluster more secure. Setting Up Multi-user Cluster documentation. It is recommended to read Part 1 along with this guide.
ActiveMQ
We are going to start from the Configuring Authentication
section of Install and Configure ActiveMQ. Actually, we are just going to throw it out. This is because passwords are stored in plain text. Instead, I am going to show you how to setup encrypted passwords and change the password on the web-console.
Broker Security using Simple Authentication Plugin ( Encrypted Password)
Step1: Add the following elements in conf/activemq.xml to setup Encryption method, Encryption Key, and Properties file.
<!-- Allows us to use encrypted system properties as variables in this configuration file --> <bean id="environmentVariablesConfiguration" class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig"> <property name="algorithm" value="PBEWithMD5AndDES" /> <property name="passwordEnvName" value="ACTIVEMQ_ENCRYPTION_PASSWORD" /> </bean> <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"> <property name="config" ref="environmentVariablesConfiguration" /> </bean> <bean id="propertyConfigurer" class="org.jasypt.spring4.properties.EncryptablePropertyPlaceholderConfigurer"> <constructor-arg ref="configurationEncryptor" /> <property name="location" value="file:${activemq.conf}/credentials-enc.properties"/> </bean>
In the preceding command snippet, you could notice the configurationEncryptor is pointing to credentials-enc.properties.
This file should be used to pass the encrypted username and password to the ActiveMQ broker configuration. The entries in this file could be referenced into the activemq configuration file activemq.xml.
We need to pass the Secret key which is used to encrypt the password as an environment variable. We will do that in Step 5.
Next Step is to encrypt the passwords.
Step2: To add the password into credentials-enc.properties file, we must encrypt the password using ActiveMQ encrypt command.
activemq.bat encrypt --password mysecretkey --input c0mp!ex@01
where password
is a secret used by the encryptor and input
is the password you want to encrypt.
After encrypting all the passwords, you need to add it to the credentials-enc.properties
file.
Step3: Add the encrypted passwords into credentials-enc.properties file.
activemq.username=system activemq.password=ENC(sD3S95bFWIhMDmuKejdOl7Oea2LYkolwiPjzDtBY6Fc=) guest.password=ENC(cNryOPepZzOgJnlcq/i+gBPgpte3Z5kIqXiwAK1yMfA=) user.password=ENC(AbBRIYkG9/bibk6ojMeYwLgGk68fsMOAPLlAdu2CWNg=) autopsy.password=ENC(V0Lwgh2SFXZlTSoFT4Y9pQWFYfle6T/RSUWNhN2ksQU=)
Here we have configured four usernames and its passwords
activemq.username
andactivemq.password
for default system account ( this account is used by the web console to access the broker resources )guest.password
is for guest privileged accountuser.password
is for user privileged accountautopsy.password
is for autopsy privileged account
Step4: Add the following Simple authentication plugin into activemq.xml file right after the <broker> tag starts
<plugins> <!-- Configure authentication; Username, passwords and groups --> <simpleAuthenticationPlugin> <users> <authenticationUser username="system" password="${activemq.password}" groups="users,admins"/> <authenticationUser username="user" password="${user.password}" groups="users"/> <authenticationUser username="autopsy" password="${autopsy.password}" groups="users"/> <authenticationUser username="guest" password="${guest.password}" groups="guests"/> </users> </simpleAuthenticationPlugin> </plugins>
Step5: Run Active-MQ using Encrypted Passwords
To run the Active-MQ broker with encrypted password configuration, follow the following steps:
- Set environment variable for encryption
setx \m ACTIVEMQ_ENCRYPTION_PASSWORD <secret>
Start the ActiveMQ service
Reset the environment variable for encryption
REG delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /F /V ACTIVEMQ_ENCRYPTION_PASSWORD
Secure the console by encrypting the web-console username and password
By default, web console user credentials are stored in jetty-realm.properties.
It will have a clear text username and password as shown below:
# Defines users that can access the web (console, demo, etc.)
# username: password [,rolename ...]
admin: admin, admin
user: user, user
Now we need to encrypt this password for better security. This is how you need to do that.
Download Jetty from https://www.eclipse.org/jetty/download.html
Unzip and Untar the downloaded package into the desired location on your server. Finally, you will get a directory like this
jetty-distribution-9.4.10.v20180503 ( Version might change )cd to that directory and you need to execute the encryption command
java -cp lib/jetty-util-9.4.10.v20180503.jar org.eclipse.jetty.util.security.Password adminuser admin
2018-05-22 02:48:41.398:INFO::main: Logging initialized @179ms to org.eclipse.jetty.util.log.StdErrLog
admin
OBF:1u2a1toa1w8v1tok1u30
MD5:21232f297a57a5a743894a0e4a801fc3
CRYPT:adpexzg3FUZAk
Here adminuser
is the salt which is used to encrypt the password not the actual username and admin is the password.
The last line contains our encrypted password.
CRYPT:adpexzg3FUZAk
Now, Copy this password to jetty-realm.properties and replace the clear text password. Do the same with the user account.
# Defines users that can access the web (console, demo, etc.)
# username: password [,rolename ...]
admin: CRYPT:adpexzg3FUZAk, admin
user: user, user
Start/Restart your ActiveMQ instance.
Conclusion
In the second part, we secured ActiveMQ by encrypting the passwords so they are not in plain text. We also went further by encrypting and changing the password for the web-console. I hope you enjoyed these guides and they aid you in making your Autopsy Multi-user Cluster a little more secure.