doc/security.md

# Security

YunoHost has been developed to provide the best security without too much complication. Every protocol used in YunoHost are **encrypted**, only password's hash are stored and by default each user is able to access to his personal directory only.

Two things remain important to note:

* Installing additional apps can **significantly increase** the number of potential security flaws. Do not hesitate to get information about security flaws **before installing an app**, and try to install only apps which will suit your needs.

* The fact that YunoHost is a well-spread software increases the chances of an attack. If a flaw is discovered, it could potentially affect all the YunoHost instances at once. Keep your system **up-to-date** to remain safe.

*If you need advice, do not hesitate to [ask us](/help).*

*To talk about security flaws, contact the [YunoHost security team](/security_team).*

---

## Improve security
If your YunoHost server is used in a critical production environment, or if you want to improve its safety, you may want to follow those good practices.

**Attention:** *Following those instructions requires advanced knowledge of system administration.*

### SSH authentication via key
By default, the SSH authentication uses the administration password. Deactivating this kind of authentication and replacing it by a key mechanism is advised.

**On your client**:

```bash
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub <your_yunohost_server>
```

Type your admnistration password and your key will be copied on your server. 

**On your server**, edit the SSH configuration file, in order to deactivate the password authentication.

```bash
nano /etc/ssh/sshd_config

# Modify or add the following line
PasswordAuthentication no
```

Save and restart SSH daemon.
```bash
systemctl restart ssh
```
---

### Modify SSH port

To prevent SSH connection attempts by robots that scan the Internet for any servers with SSH accessible, you can change the SSH port.

**On your server**, edit the ssh configuration file, in order to modify SSH port.

```bash
nano /etc/ssh/sshd_config
```
**Search line "Port" and replace** port number (by default 22) by another not used number
```bash
# What ports, IPs and protocols we listen for
Port 22 # to replace by 9777 for example
```

**Open the port** in firewall (you can use -6 option to limit forbid ipv4 connexion)
```bash
yunohost firewall allow TCP 9777
``` 

Save and restart SSH daemon. Switch over to the new port by restarting SSH.
```bash
systemctl restart ssh
```
Then restart the iptables firewall and close the old port in iptables.

```bash
yunohost firewall reload
yunohost firewall disallow TCP <your_old_ssh_port_number> # port by default 22
``` 

You also need to give fail2ban the new SSH port.

To do that you need to create the configuration file `my_ssh_port.conf` with the command


```bash
nano /etc/fail2ban/jail.d/my_ssh_port.conf
``` 

and you can fill it with

```bash
[sshd]
port = <your_ssh_port>

[sshd-ddos]
port = <your_ssh_port>
```

Finally you have to restart fail2ban in order to apply the new configuration

```bash
systemctl restart fail2ban.service
``` 

**For the next SSH connections ** you need to add the `-p` option followed by the SSH port number.

**Sample**:

```bash
ssh -p <new_ssh_port_number> admin@<your_yunohost_server>
``` 

---

### Change the user authorized to connect via SSH

To avoid multiple forced login attempts to admin by robots, change the authorized user who can connect.

<div class="alert alert-info" markdown="1">
In the case of a key authentication, a brute force attack has no chance of succeeding. This step is not really useful in this case.
</div>

**On your server**, add a user
```bash
sudo adduser user_name
```
Choose a strong password, since this user will be responsible to obtain root privileges.
Add the user to sudo group to allow him/her to perform maintenance tasks that require root privileges.
```bash
sudo adduser user_name sudo
```

Now, change the SSH configuration to allow the new user to connect.
**On your server**, edit the SSH configuration file
```bash
sudo nano /etc/ssh/sshd_config

# Look for the section "Authentication" and add at the end of it:
AllowUsers user_name
```
Only users listed in the AllowUsers directive will then be allowed to connect via SSH, which excludes the admin user.

Save and restart SSH daemon.
```bash
systemctl restart ssh
```
---

### Disable YunoHost API
YunoHost administration is accessible through an **HTTP API**, served on the 6787 port by default. It can be used to administrate a lot of things on your server, so malicious actors can also use it to damage your server. The best thing to do, if you know how to use the [command-line interface](/commandline), is to deactivate the `yunohost-api` service.

```bash
sudo service yunohost-api stop
```

### YunoHost penetration test

Some [pentests](https://en.wikipedia.org/wiki/Penetration_test) have been done on a YunoHost 2.4 instance (french):

- [1) Preparation](https://exadot.fr/blog/2016-07-03-pentest-dune-instance-yunohost-1-preparation)
- [2) The functionning](https://exadot.fr/blog/2016-07-12-pentest-dune-instance-yunohost-2-le-fonctionnement)
- [3) Black Box Audit](https://exadot.fr/blog/2016-08-26-pentest-dune-instance-yunohost-3-audit-en-black-box)
- [4) Grey Box Audit](https://exadot.fr/blog/2016-11-03-pentest-dune-instance-yunohost-4-audit-en-grey-box)