GreenRADIUS Security Recommendations and Considerations

The following items are recommendations to consider to help secure your GreenRADIUS instances.

  1. Change default passwords
    • Web admin interface (change for both default users root and gradmin)
    • Command line (change for the gradmin user)
      • Note: The passwords for web admin interface users and command line users are managed separately, so be sure to change the default passwords for both
  2. Enforce two-factor authentication for GreenRADIUS admin accounts
  3. Replace the default self-signed certificate with a certificate signed by a trusted CA
  4. Restrict web admin interface access by IP address
    • Webmin > Webmin Configuration > IP Access Control
  5. Enable the UFW (onboard firewall) and set policies to restrict access (if an external firewall will not be used)
  6. If the onboard OpenLDAP nor the LDAP Authenticator Module will not be used, use a docker-compose-override file to prevent the OpenLDAP container from starting up
  7. Enable encryption of token secrets prior to importing or registering any tokens
    • Global Configuration tab > General
  8. If the YubiCloud will be used to validate YubiKey OTPs (instead of validating locally within GreenRADIUS), obtain a new Client ID and API Key from the Yubico site
    • Set in Global Configuration tab > Validation Server
  9. Set strong shared secrets when configuring RADIUS and ADFS clients
  10. Enable auto-logout after a certain period of inactivity in the web admin interface
    • Webmin > Webmin Configuration > Authentication
  11. Enable blocking of user accounts to prevent brute force attacks
  12. Make sure to apply the GreenRADIUS updates timely

Web Analytics Made Easy -
StatCounter

Updated 2021-06-26
© 2021 Green Rocket Security Inc. All rights reserved.