New: Try our AI‑powered Search (Ctrl + K) — Read more

Security Hardening

  • Updated on Nov 12, 2025
  • Published on Oct 22, 2025
  • 1 minute(s) read
Prev Next

NOTE: If this is an upgrade from a previous version, skip this entire Security Hardening section. Proceed directly to the next installation phase.

Configuration

The security hardening RPM for this version of the product can be obtained from Cisco.

Upload the RPM to /home/opanga/packages/{yyyy‑mm‑dd} on each server, then execute the following commands:

sudo rpm -Uvh security-hardening-VERSION.x86_64.rpm
cd /opt/security

Review and configure as necessary the following files:

  • sshd_config_allow_users.txt

  • warning.txt

  • MBSS_OS_RockyLinux8_187_input.txt

  • MBSS_OS_RockyLinux8_137_input.txt

  • MBSS_OS_RockyLinux8_149_input.txt

sshd_config_allow_users.txt

Space separated list of users allowed to connect with ssh. Default value: ncss opanga

Warning.txt

This is the warning that will be printed when connecting via SSH into the server. If the name of the company or the text needs to be changed per customer’s agreement, then this file needs to be modified according with the text provided by customer.

MBSS_OS_RockyLinux8_187_input.txt

Control: Ensure /etc/hosts.allow The default values allow access from all hosts.

On the first line enter a comma separated list of /

Note: Each / combination (ex. 192.168.1.0/255.255.255) represents one network block in use by your organization that requires access to this system.

Example: /, /, … Leave the rest of the lines as is.

MBSS_OSRockyLinux8_137_input.txt

Account lockout duration: specifies the number of seconds between failed login attempts. Default value: 300

MBSS_OS_RockyLinux8_149_input.txt

Maximum password age in days: allows an administrator to force passwords to expire once they reach a defined age. Default value: 360

Script Execution

Start the security hardening process by running the run_sec_hard.sh script as root:

cd /opt/security
sudo ./run.sh

At the end of the script, it’ll print the location the security audit output log.

See log /tmp/security_audit.sh.<date time now>

Review the log files generated in the /tmp directory, the log.txt file in the current directory and the /root/security_audit_backup.tar.gz Move all these files and the security scripts to the customer Dropbox folder.

Additional Steps

If the management UI is unavailable after running the script, restart the docker service on the servers. This can be done by:

sudo systemctl restart docker

After running this, the management system should become available.

© 2026 Cisco and/or its affiliates. All rights reserved.

For more information about trademarks, please visit: Cisco trademarks 
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit:  Accedian legal terms and trademarks


© 2026 Cisco Privacy Statement Cookies Legal