EDUCATIC
/
digitaldemocratic
mirror of https://gitlab.com/digitaldemocratic/digitaldemocratic
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
digitaldemocratic/docs/security.md

2.6 KiB
Raw Blame History

Security

DD Configurations

Currently the DD has the following specific options related to security:

Web Application Firewall (WAF) / Modsecurity

Web Application Firewall/Modsecurity can be enabled following these instructions.

ClamAV / Antivirus

As is done when enabling WAF, ClamAV can be enabled setting the variable DISABLE_CLAMAV to true in dd.conf and running:

# Regenerate docker-compose.yml
./dd-ctl yml
# Start the container
./dd-ctl up
# Apply specific ClamAV configurations in other services
./dd-ctl personalize

General system security

System security can be complex, general criteria are set out here to help protect the system.

Remember that you will have to apply your professional criteria to adapt following recommendations to your requirements.

dd.conf file

This is the main system configuration, only the system administrators must access it! Be sure that file permissions are set according to it.

Review in new versions of DD the changes done in dd.conf.sample and set your dd.conf according to these changes.

Firewall

As any exposed service in internet, is important to set correctly a firewall, DD only needs to be allowed the tcp ports 80/HTTP and 443/HTTPS.

One option is using ufw with deny default incoming policy, and only allow 80 and 443 over TCP.

Be careful to not disable access of ssh port if you are using it, as it will denies access to the system! Read more about it in SSH access.

SSH access

Ideally, configure the firewall to deny access to all connections to port 22/SSH TCP.

If you are not using a VPN, but you have any range of public ips, you can allow access to port 22/SSH to one of these public ips.

If you are using a VPN, this is the best option. You'll need to configure in /etc/ssh/sshd_config the option ListenAddress to only allow the connection from the range of your VPN IP. Or set the firewall to only allow VPN IPs range.

SSH authentication

Never use password when authenticating via ssh.

Always use asymmetric keys and, if possible, a physical security device that keeps your private key in a secure way, something like YubiKey.

Intrussion detection

It is recommended to deploy rkhunter to detect system anomalies. You can read configuration recommendations on this wiki.

Other resources

You can read more about security questions in this public documentation.