70 lines
2.6 KiB
Markdown
70 lines
2.6 KiB
Markdown
|
# Security
|
||
|
|
|
||
|
|
## DD Configurations
|
||
|
|
|
||
|
|
Currently the DD has the following specific options related to security:
|
||
|
|
|
||
|
|
### Web Application Firewall (WAF) / Modsecurity
|
||
|
|
|
||
|
|
Web Application Firewall/Modsecurity can be enabled following [these instructions](waf-modsecurity.md).
|
||
|
|
|
||
|
|
### ClamAV / Antivirus
|
||
|
|
|
||
|
|
As is done when enabling [WAF](waf-modsecurity.md), `ClamAV` can be enabled setting the variable `DISABLE_CLAMAV` to `true` in `dd.conf` and running:
|
||
|
|
|
||
|
|
```sh
|
||
|
|
# Regenerate docker-compose.yml
|
||
|
|
./dd-ctl yml
|
||
|
|
# Start the container
|
||
|
|
./dd-ctl up
|
||
|
|
# Apply specific ClamAV configurations in other services
|
||
|
|
./dd-ctl personalize
|
||
|
|
```
|
||
|
|
|
||
|
|
## General system security
|
||
|
|
|
||
|
|
System security can be complex, general criteria are set out here to help protect the system.
|
||
|
|
|
||
|
|
Remember that you will have to apply your professional criteria to adapt following recommendations to your requirements.
|
||
|
|
|
||
|
|
|
||
|
|
### `dd.conf` file
|
||
|
|
|
||
|
|
This is the main system configuration, **only the system administrators** must access it! Be sure that file permissions are set according to it.
|
||
|
|
|
||
|
|
Review in new versions of DD the changes done in `dd.conf.sample` and set your `dd.conf` according to these changes.
|
||
|
|
|
||
|
|
### Firewall
|
||
|
|
|
||
|
|
As any exposed service in internet, is important to set correctly a firewall, DD only needs to be allowed the tcp ports 80/HTTP and 443/HTTPS.
|
||
|
|
|
||
|
|
One option is using `ufw` with `deny` default incoming policy, and only allow 80 and 443 over TCP.
|
||
|
|
|
||
|
|
Be careful to not disable access of ssh port if you are using it, as it will denies access to the system!
|
||
|
|
Read more about it in [SSH access](#acces-ssh).
|
||
|
|
|
||
|
|
### SSH access
|
||
|
|
|
||
|
|
Ideally, configure the firewall to deny access to all connections to port 22/SSH TCP.
|
||
|
|
|
||
|
|
If you are not using a VPN, but you have any range of public ips, you can allow access to port 22/SSH to one of these public ips.
|
||
|
|
|
||
|
|
If you are using a VPN, this is the best option. You'll need to configure in `/etc/ssh/sshd_config` the option `ListenAddress` to only allow the connection from the range of your VPN IP. Or set the firewall to only allow VPN IPs range.
|
||
|
|
|
||
|
|
### SSH authentication
|
||
|
|
|
||
|
|
**Never** use **password** when authenticating via ssh.
|
||
|
|
|
||
|
|
Always use **asymmetric keys** and, if possible, a physical security device that keeps your private key in a secure way, something like [YubiKey](https://yubico.com).
|
||
|
|
|
||
|
|
### Intrussion detection
|
||
|
|
|
||
|
|
It is recommended to deploy `rkhunter` to detect system anomalies.
|
||
|
|
You can read configuration recommendations on this [wiki][serverstats].
|
||
|
|
|
||
|
|
## Other resources
|
||
|
|
|
||
|
|
You can read more about security questions in this [public documentation][serverstats].
|
||
|
|
|
||
|
|
[serverstats]: https://gitlab.com/MaadiX/server-stats-and-check/-/wikis/en_home
|