EDUCATIC
/
digitaldemocratic
mirror of https://gitlab.com/digitaldemocratic/digitaldemocratic
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
digitaldemocratic/docs/security.md

70 lines
2.6 KiB
Markdown
Raw Blame History

# Security
## DD Configurations
Currently the DD has the following specific options related to security:
### Web Application Firewall (WAF) / Modsecurity
Web Application Firewall/Modsecurity can be enabled following [these instructions](waf-modsecurity.md).
### ClamAV / Antivirus
As is done when enabling [WAF](waf-modsecurity.md), `ClamAV` can be enabled setting the variable `DISABLE_CLAMAV` to `true` in `dd.conf` and running:
```sh
# Regenerate docker-compose.yml
./dd-ctl yml
# Start the container
./dd-ctl up
# Apply specific ClamAV configurations in other services
./dd-ctl personalize
```
## General system security
System security can be complex, general criteria are set out here to help protect the system.
Remember that you will have to apply your professional criteria to adapt following recommendations to your requirements.
### `dd.conf` file
This is the main system configuration, **only the system administrators** must access it! Be sure that file permissions are set according to it.
Review in new versions of DD the changes done in `dd.conf.sample` and set your `dd.conf` according to these changes.
### Firewall
As any exposed service in internet, is important to set correctly a firewall, DD only needs to be allowed the tcp ports 80/HTTP and 443/HTTPS.
One option is using `ufw` with `deny` default incoming policy, and only allow 80 and 443 over TCP.
Be careful to not disable access of ssh port if you are using it, as it will denies access to the system!
Read more about it in [SSH access](#acces-ssh).
### SSH access
Ideally, configure the firewall to deny access to all connections to port 22/SSH TCP.
If you are not using a VPN, but you have any range of public ips, you can allow access to port 22/SSH to one of these public ips.
If you are using a VPN, this is the best option. You'll need to configure in `/etc/ssh/sshd_config` the option `ListenAddress` to only allow the connection from the range of your VPN IP. Or set the firewall to only allow VPN IPs range.
### SSH authentication
**Never** use **password** when authenticating via ssh.
Always use **asymmetric keys** and, if possible, a physical security device that keeps your private key in a secure way, something like [YubiKey](https://yubico.com).
### Intrussion detection
It is recommended to deploy `rkhunter` to detect system anomalies.
You can read configuration recommendations on this [wiki][serverstats].
## Other resources
You can read more about security questions in this [public documentation][serverstats].
[serverstats]: https://gitlab.com/MaadiX/server-stats-and-check/-/wikis/en_home
Reference in New Issue View Git Blame Copy Permalink