doc/security.md

165 lines
5.4 KiB
Markdown
Raw Normal View History

2014-05-13 16:09:43 +02:00
# Security
2018-12-11 03:44:21 +01:00
YunoHost has been developed to provide the best security without too much complication. Every protocol used in YunoHost are **encrypted**, only password's hashs are stored and by default each user is able to access to his personal directory only.
2014-05-13 16:09:43 +02:00
Two things remain important to note:
* Installing additional apps can **significantly increase** the number of potential security flaws. Do not hesitate to get information about security flaws **before installing an app**, and try to install only apps which will suit your needs.
2014-05-13 16:09:43 +02:00
* The fact that YunoHost is a well-spread software increases the chances of an attack. If a flaw is discovered, it could potentially affect all the YunoHost instances at once. Keep your system **up-to-date** to remain safe.
2014-05-13 16:09:43 +02:00
*If you need advice, do not hesitate to [ask us](/help).*
2014-05-13 16:09:43 +02:00
*To talk about security flaws, contact the [YunoHost security team](/security_team).*
2014-06-04 21:41:04 +02:00
---
2014-05-13 16:09:43 +02:00
## Improve security
If your YunoHost server is used in a critical production environment, or if you want to improve its safety, you may want to follow those good practices.
**Attention:** *Following those instructions requires advanced knowledge of system administration.*
2014-05-13 16:09:43 +02:00
### SSH authentication via key
By default, the SSH authentication uses the administration password. Deactivating this kind of authentication and replacing it by a key mechanism is advised.
2014-05-13 16:09:43 +02:00
**On your client**:
```bash
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub <your_yunohost_server>
```
Type your admnistration password and your key will be copied on your server.
**On your server**, edit the SSH configuration file, in order to deactivate the password authentication.
```bash
nano /etc/ssh/sshd_config
# Modify or add the following line
PasswordAuthentication no
```
Save and restart SSH daemon.
```bash
2018-06-11 15:43:32 +02:00
systemctl restart ssh
```
2014-06-04 21:41:04 +02:00
---
2016-01-20 17:04:35 +01:00
### Modify SSH port
2014-05-13 16:09:43 +02:00
To prevent SSH connection attempts by robots that scan the Internet for any servers with SSH accessible, you can change the SSH port.
2016-01-20 17:04:35 +01:00
**On your server**, edit the ssh configuration file, in order to modify SSH port.
2014-05-13 16:09:43 +02:00
```bash
2016-01-20 17:04:35 +01:00
nano /etc/ssh/sshd_config
```
2018-06-11 15:27:21 +02:00
**Search line "Port" and replace** port number (by default 22) by another not used number
```bash
# What ports, IPs and protocols we listen for
2016-01-20 17:04:35 +01:00
Port 22 # to replace by 9777 for example
```
2018-12-11 03:44:21 +01:00
**Open the port** in firewall (you can use `-6` option to deny ipv4 connection)
2018-06-11 15:35:22 +02:00
```bash
yunohost firewall allow TCP 9777
```
2016-01-20 17:04:35 +01:00
Save and restart SSH daemon. Switch over to the new port by restarting SSH.
```bash
2018-06-11 15:43:32 +02:00
systemctl restart ssh
```
2016-01-20 17:04:35 +01:00
Then restart the iptables firewall and close the old port in iptables.
```bash
yunohost firewall reload
2018-10-19 17:23:04 +02:00
yunohost firewall disallow TCP <your_old_ssh_port_number> # port by default 22
2016-01-20 17:04:35 +01:00
```
2018-12-11 04:02:19 +01:00
You also need to give `fail2ban` the new SSH port.
To do that you need to create the configuration file `my_ssh_port.conf` with the command
```bash
nano /etc/fail2ban/jail.d/my_ssh_port.conf
```
and you can fill it with
```bash
[sshd]
2018-09-24 19:05:55 +02:00
port = <your_ssh_port>
[sshd-ddos]
2018-09-24 19:05:55 +02:00
port = <your_ssh_port>
```
2018-12-11 03:50:17 +01:00
Finally you have to restart `fail2ban` in order to apply the new configuration
```bash
2018-12-11 03:50:17 +01:00
systemctl restart fail2ban
```
2018-12-11 03:44:21 +01:00
**For the next SSH connections **, you need to add the `-p` option followed by the SSH port number.
2016-01-20 17:04:35 +01:00
**Sample**:
```bash
ssh -p <new_ssh_port_number> admin@<your_yunohost_server>
```
---
### Change the user authorized to connect via SSH
To avoid multiple forced login attempts to admin by robots, change the authorized user who can connect.
2016-01-20 17:04:35 +01:00
<div class="alert alert-info" markdown="1">
In the case of a key authentication, a brute force attack has no chance of succeeding. This step is not really useful in this case.
2016-01-20 17:04:35 +01:00
</div>
**On your server**, add a user
```bash
sudo adduser user_name
```
Choose a strong password, since this user will be responsible to obtain root privileges.
Add the user to sudo group to allow him/her to perform maintenance tasks that require root privileges.
2016-01-20 17:04:35 +01:00
```bash
sudo adduser user_name sudo
2016-01-20 17:04:35 +01:00
```
Now, change the SSH configuration to allow the new user to connect.
**On your server**, edit the SSH configuration file
```bash
sudo nano /etc/ssh/sshd_config
# Look for the section "Authentication" and add at the end of it:
AllowUsers user_name
2014-05-13 16:09:43 +02:00
```
2016-01-20 17:04:35 +01:00
Only users listed in the AllowUsers directive will then be allowed to connect via SSH, which excludes the admin user.
Save and restart SSH daemon.
```bash
2018-06-11 15:43:32 +02:00
systemctl restart ssh
```
2016-01-20 17:04:35 +01:00
---
### Disable YunoHost API
2018-12-11 03:53:15 +01:00
YunoHost administration is accessible through an **HTTP API**, served on the 6787 port by default (only on `localhost`). It can be used to administrate a lot of things on your server, so malicious actors can also use it to damage your server. The best thing to do, if you know how to use the [command-line interface](/commandline), is to deactivate the `yunohost-api` service.
2016-01-20 17:04:35 +01:00
```bash
2018-12-11 03:47:36 +01:00
sudo systemctl disable yunohost-api
sudo systemctl stop yunohost-api
```
### YunoHost penetration test
Some [pentests](https://en.wikipedia.org/wiki/Penetration_test) have been done on a YunoHost 2.4 instance (french):
2018-09-10 18:23:03 +02:00
- [1) Preparation](https://exadot.fr/blog/2016-07-03-pentest-dune-instance-yunohost-1-preparation)
2018-09-10 18:30:03 +02:00
- [2) The functionning](https://exadot.fr/blog/2016-07-12-pentest-dune-instance-yunohost-2-le-fonctionnement)
- [3) Black Box Audit](https://exadot.fr/blog/2016-08-26-pentest-dune-instance-yunohost-3-audit-en-black-box)
- [4) Grey Box Audit](https://exadot.fr/blog/2016-11-03-pentest-dune-instance-yunohost-4-audit-en-grey-box)