2014-05-13 16:09:43 +02:00
# Security
2018-12-11 03:44:21 +01:00
YunoHost has been developed to provide the best security without too much complication. Every protocol used in YunoHost are **encrypted** , only password's hashs are stored and by default each user is able to access to his personal directory only.
2014-05-13 16:09:43 +02:00
Two things remain important to note:
2018-09-17 18:38:37 +02:00
* Installing additional apps can **significantly increase** the number of potential security flaws. Do not hesitate to get information about security flaws **before installing an app** , and try to install only apps which will suit your needs.
2014-05-13 16:09:43 +02:00
2018-09-17 18:38:37 +02:00
* The fact that YunoHost is a well-spread software increases the chances of an attack. If a flaw is discovered, it could potentially affect all the YunoHost instances at once. Keep your system **up-to-date** to remain safe.
2014-05-13 16:09:43 +02:00
2018-09-17 18:38:37 +02:00
*If you need advice, do not hesitate to [ask us ](/help ).*
2014-05-13 16:09:43 +02:00
2016-11-28 11:42:32 +01:00
*To talk about security flaws, contact the [YunoHost security team ](/security_team ).*
2014-06-04 21:41:04 +02:00
---
2014-05-13 16:09:43 +02:00
## Improve security
If your YunoHost server is used in a critical production environment, or if you want to improve its safety, you may want to follow those good practices.
2018-09-17 18:38:37 +02:00
**Attention:** *Following those instructions requires advanced knowledge of system administration.*
2014-05-13 16:09:43 +02:00
### SSH authentication via key
2018-09-17 18:38:37 +02:00
By default, the SSH authentication uses the administration password. Deactivating this kind of authentication and replacing it by a key mechanism is advised.
2014-05-13 16:09:43 +02:00
**On your client**:
```bash
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub < your_yunohost_server >
```
Type your admnistration password and your key will be copied on your server.
**On your server**, edit the SSH configuration file, in order to deactivate the password authentication.
```bash
nano /etc/ssh/sshd_config
# Modify or add the following line
PasswordAuthentication no
```
Save and restart SSH daemon.
2018-03-02 13:52:42 +01:00
```bash
2018-06-11 15:43:32 +02:00
systemctl restart ssh
2018-03-02 13:52:42 +01:00
```
2014-06-04 21:41:04 +02:00
---
2016-01-20 17:04:35 +01:00
### Modify SSH port
2014-05-13 16:09:43 +02:00
2018-09-17 18:38:37 +02:00
To prevent SSH connection attempts by robots that scan the Internet for any servers with SSH accessible, you can change the SSH port.
2016-01-20 17:04:35 +01:00
**On your server**, edit the ssh configuration file, in order to modify SSH port.
2014-05-13 16:09:43 +02:00
```bash
2016-01-20 17:04:35 +01:00
nano /etc/ssh/sshd_config
2018-03-02 13:52:42 +01:00
```
2018-06-11 15:27:21 +02:00
**Search line "Port" and replace** port number (by default 22) by another not used number
2018-03-02 13:52:42 +01:00
```bash
# What ports, IPs and protocols we listen for
2016-01-20 17:04:35 +01:00
Port 22 # to replace by 9777 for example
```
2018-12-11 03:44:21 +01:00
**Open the port** in firewall (you can use `-6` option to deny ipv4 connection)
2018-06-11 15:35:22 +02:00
```bash
yunohost firewall allow TCP 9777
```
2016-01-20 17:04:35 +01:00
2018-03-02 13:52:42 +01:00
Save and restart SSH daemon. Switch over to the new port by restarting SSH.
```bash
2018-06-11 15:43:32 +02:00
systemctl restart ssh
2018-03-02 13:52:42 +01:00
```
2016-01-20 17:04:35 +01:00
Then restart the iptables firewall and close the old port in iptables.
```bash
yunohost firewall reload
2018-10-19 17:23:04 +02:00
yunohost firewall disallow TCP < your_old_ssh_port_number > # port by default 22
2016-01-20 17:04:35 +01:00
```
2018-12-11 04:02:19 +01:00
You also need to give `fail2ban` the new SSH port.
2018-09-24 18:52:46 +02:00
To do that you need to create the configuration file `my_ssh_port.conf` with the command
```bash
nano /etc/fail2ban/jail.d/my_ssh_port.conf
```
and you can fill it with
2018-09-24 18:58:34 +02:00
```bash
2018-09-24 18:52:46 +02:00
[sshd]
2018-09-24 19:05:55 +02:00
port = < your_ssh_port >
2018-09-24 18:52:46 +02:00
[sshd-ddos]
2018-09-24 19:05:55 +02:00
port = < your_ssh_port >
2018-09-24 18:52:46 +02:00
```
2018-12-11 03:50:17 +01:00
Finally you have to restart `fail2ban` in order to apply the new configuration
2018-09-24 18:52:46 +02:00
```bash
2018-12-11 03:50:17 +01:00
systemctl restart fail2ban
2018-09-24 18:52:46 +02:00
```
2018-12-11 03:44:21 +01:00
**For the next SSH connections ** , you need to add the `-p` option followed by the SSH port number.
2016-01-20 17:04:35 +01:00
**Sample**:
```bash
ssh -p < new_ssh_port_number > admin@< your_yunohost_server >
```
---
### Change the user authorized to connect via SSH
2018-09-17 18:38:37 +02:00
To avoid multiple forced login attempts to admin by robots, change the authorized user who can connect.
2016-01-20 17:04:35 +01:00
< div class = "alert alert-info" markdown = "1" >
2018-09-17 18:38:37 +02:00
In the case of a key authentication, a brute force attack has no chance of succeeding. This step is not really useful in this case.
2016-01-20 17:04:35 +01:00
< / div >
**On your server**, add a user
```bash
sudo adduser user_name
```
2018-09-17 18:38:37 +02:00
Choose a strong password, since this user will be responsible to obtain root privileges.
Add the user to sudo group to allow him/her to perform maintenance tasks that require root privileges.
2016-01-20 17:04:35 +01:00
```bash
2018-08-05 11:49:57 +02:00
sudo adduser user_name sudo
2016-01-20 17:04:35 +01:00
```
Now, change the SSH configuration to allow the new user to connect.
**On your server**, edit the SSH configuration file
```bash
sudo nano /etc/ssh/sshd_config
# Look for the section "Authentication" and add at the end of it:
AllowUsers user_name
2014-05-13 16:09:43 +02:00
```
2016-01-20 17:04:35 +01:00
Only users listed in the AllowUsers directive will then be allowed to connect via SSH, which excludes the admin user.
Save and restart SSH daemon.
2018-03-02 13:52:42 +01:00
```bash
2018-06-11 15:43:32 +02:00
systemctl restart ssh
2018-03-02 13:52:42 +01:00
```
2016-01-20 17:04:35 +01:00
---
### Disable YunoHost API
2018-12-11 03:53:15 +01:00
YunoHost administration is accessible through an **HTTP API** , served on the 6787 port by default (only on `localhost` ). It can be used to administrate a lot of things on your server, so malicious actors can also use it to damage your server. The best thing to do, if you know how to use the [command-line interface ](/commandline ), is to deactivate the `yunohost-api` service.
2016-01-20 17:04:35 +01:00
```bash
2018-12-11 03:47:36 +01:00
sudo systemctl disable yunohost-api
sudo systemctl stop yunohost-api
2016-05-30 18:16:05 +02:00
```
2016-09-06 13:26:16 +02:00
### YunoHost penetration test
Some [pentests ](https://en.wikipedia.org/wiki/Penetration_test ) have been done on a YunoHost 2.4 instance (french):
2018-09-10 18:23:03 +02:00
- [1) Preparation ](https://exadot.fr/blog/2016-07-03-pentest-dune-instance-yunohost-1-preparation )
2018-09-10 18:30:03 +02:00
- [2) The functionning ](https://exadot.fr/blog/2016-07-12-pentest-dune-instance-yunohost-2-le-fonctionnement )
- [3) Black Box Audit ](https://exadot.fr/blog/2016-08-26-pentest-dune-instance-yunohost-3-audit-en-black-box )
- [4) Grey Box Audit ](https://exadot.fr/blog/2016-11-03-pentest-dune-instance-yunohost-4-audit-en-grey-box )