Security translation
parent
cd78248bff
commit
b63cb092f9
|
@ -100,7 +100,7 @@ Before integrating a Merge Request, we need to make sure that this checklist is
|
||||||
- [ ] The new features which may have negative effects, only will be applied by default when operators did have enough time to disable these before.
|
- [ ] The new features which may have negative effects, only will be applied by default when operators did have enough time to disable these before.
|
||||||
|
|
||||||
|
|
||||||
If any of these steps fails, we'll try to help who requested the code merging to solve the problems.
|
If any of these steps fails, we'll try to help whoever has requested the code merge to solve the problems.
|
||||||
|
|
||||||
[buildbot]: https://buildbot.net
|
[buildbot]: https://buildbot.net
|
||||||
[pola]: https://en.wikipedia.org/wiki/Principle_of_least_astonishment
|
[pola]: https://en.wikipedia.org/wiki/Principle_of_least_astonishment
|
|
@ -0,0 +1,69 @@
|
||||||
|
# Security
|
||||||
|
|
||||||
|
## DD Configurations
|
||||||
|
|
||||||
|
Currently the DD has the following specific options related to security:
|
||||||
|
|
||||||
|
### Web Application Firewall (WAF) / Modsecurity
|
||||||
|
|
||||||
|
Web Application Firewall/Modsecurity can be enabled following [these instructions](waf-modsecurity.md).
|
||||||
|
|
||||||
|
### ClamAV / Antivirus
|
||||||
|
|
||||||
|
As is done when enabling [WAF](waf-modsecurity.md), `ClamAV` can be enabled setting the variable `DISABLE_CLAMAV` to `true` in `dd.conf` and running:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
# Regenerate docker-compose.yml
|
||||||
|
./dd-ctl yml
|
||||||
|
# Start the container
|
||||||
|
./dd-ctl up
|
||||||
|
# Apply specific ClamAV configurations in other services
|
||||||
|
./dd-ctl personalize
|
||||||
|
```
|
||||||
|
|
||||||
|
## General system security
|
||||||
|
|
||||||
|
System security can be complex, general criteria are set out here to help protect the system.
|
||||||
|
|
||||||
|
Remember that you will have to apply your professional criteria to adapt following recommendations to your requirements.
|
||||||
|
|
||||||
|
|
||||||
|
### `dd.conf` file
|
||||||
|
|
||||||
|
This is the main system configuration, **only the system administrators** must access it! Be sure that file permissions are set according to it.
|
||||||
|
|
||||||
|
Review in new versions of DD the changes done in `dd.conf.sample` and set your `dd.conf` according to these changes.
|
||||||
|
|
||||||
|
### Firewall
|
||||||
|
|
||||||
|
As any exposed service in internet, is important to set correctly a firewall, DD only needs to be allowed the tcp ports 80/HTTP and 443/HTTPS.
|
||||||
|
|
||||||
|
One option is using `ufw` with `deny` default incoming policy, and only allow 80 and 443 over TCP.
|
||||||
|
|
||||||
|
Be careful to not disable access of ssh port if you are using it, as it will denies access to the system!
|
||||||
|
Read more about it in [SSH access](#acces-ssh).
|
||||||
|
|
||||||
|
### SSH access
|
||||||
|
|
||||||
|
Ideally, configure the firewall to deny access to all connections to port 22/SSH TCP.
|
||||||
|
|
||||||
|
If you are not using a VPN, but you have any range of public ips, you can allow access to port 22/SSH to one of these public ips.
|
||||||
|
|
||||||
|
If you are using a VPN, this is the best option. You'll need to configure in `/etc/ssh/sshd_config` the option `ListenAddress` to only allow the connection from the range of your VPN IP. Or set the firewall to only allow VPN IPs range.
|
||||||
|
|
||||||
|
### SSH authentication
|
||||||
|
|
||||||
|
**Never** use **password** when authenticating via ssh.
|
||||||
|
|
||||||
|
Always use **asymmetric keys** and, if possible, a physical security device that keeps your private key in a secure way, something like [YubiKey](https://yubico.com).
|
||||||
|
|
||||||
|
### Intrussion detection
|
||||||
|
|
||||||
|
It is recommended to deploy `rkhunter` to detect system anomalies.
|
||||||
|
You can read configuration recommendations on this [wiki][serverstats].
|
||||||
|
|
||||||
|
## Other resources
|
||||||
|
|
||||||
|
You can read more about security questions in this [public documentation][serverstats].
|
||||||
|
|
||||||
|
[serverstats]: https://gitlab.com/MaadiX/server-stats-and-check/-/wikis/en_home
|
Loading…
Reference in New Issue