From b63cb092f972497de4e1e1f6615dcef2d5f4ed71 Mon Sep 17 00:00:00 2001 From: Aleix Quintana Alsius Date: Sun, 23 Apr 2023 17:06:55 +0000 Subject: [PATCH] Security translation --- docs/contributing.md | 2 +- docs/security.md | 69 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 docs/security.md diff --git a/docs/contributing.md b/docs/contributing.md index 1d73758..4ff20e2 100644 --- a/docs/contributing.md +++ b/docs/contributing.md @@ -100,7 +100,7 @@ Before integrating a Merge Request, we need to make sure that this checklist is - [ ] The new features which may have negative effects, only will be applied by default when operators did have enough time to disable these before. -If any of these steps fails, we'll try to help who requested the code merging to solve the problems. +If any of these steps fails, we'll try to help whoever has requested the code merge to solve the problems. [buildbot]: https://buildbot.net [pola]: https://en.wikipedia.org/wiki/Principle_of_least_astonishment \ No newline at end of file diff --git a/docs/security.md b/docs/security.md new file mode 100644 index 0000000..bcd985e --- /dev/null +++ b/docs/security.md @@ -0,0 +1,69 @@ +# Security + +## DD Configurations + +Currently the DD has the following specific options related to security: + +### Web Application Firewall (WAF) / Modsecurity + +Web Application Firewall/Modsecurity can be enabled following [these instructions](waf-modsecurity.md). + +### ClamAV / Antivirus + +As is done when enabling [WAF](waf-modsecurity.md), `ClamAV` can be enabled setting the variable `DISABLE_CLAMAV` to `true` in `dd.conf` and running: + +```sh +# Regenerate docker-compose.yml +./dd-ctl yml +# Start the container +./dd-ctl up +# Apply specific ClamAV configurations in other services +./dd-ctl personalize +``` + +## General system security + +System security can be complex, general criteria are set out here to help protect the system. + +Remember that you will have to apply your professional criteria to adapt following recommendations to your requirements. + + +### `dd.conf` file + +This is the main system configuration, **only the system administrators** must access it! Be sure that file permissions are set according to it. + +Review in new versions of DD the changes done in `dd.conf.sample` and set your `dd.conf` according to these changes. + +### Firewall + +As any exposed service in internet, is important to set correctly a firewall, DD only needs to be allowed the tcp ports 80/HTTP and 443/HTTPS. + +One option is using `ufw` with `deny` default incoming policy, and only allow 80 and 443 over TCP. + +Be careful to not disable access of ssh port if you are using it, as it will denies access to the system! +Read more about it in [SSH access](#acces-ssh). + +### SSH access + +Ideally, configure the firewall to deny access to all connections to port 22/SSH TCP. + +If you are not using a VPN, but you have any range of public ips, you can allow access to port 22/SSH to one of these public ips. + +If you are using a VPN, this is the best option. You'll need to configure in `/etc/ssh/sshd_config` the option `ListenAddress` to only allow the connection from the range of your VPN IP. Or set the firewall to only allow VPN IPs range. + +### SSH authentication + +**Never** use **password** when authenticating via ssh. + +Always use **asymmetric keys** and, if possible, a physical security device that keeps your private key in a secure way, something like [YubiKey](https://yubico.com). + +### Intrussion detection + +It is recommended to deploy `rkhunter` to detect system anomalies. +You can read configuration recommendations on this [wiki][serverstats]. + +## Other resources + +You can read more about security questions in this [public documentation][serverstats]. + +[serverstats]: https://gitlab.com/MaadiX/server-stats-and-check/-/wikis/en_home