YunoHost/doc
1
0
Fork 0
mirror of https://github.com/YunoHost/doc.git synced 2024-09-03 20:06:26 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1892 from mooseyboots/patch-4

Browse source 
Update security.md
This commit is contained in:
Alexandre Aubin 2022-02-01 15:30:06 +01:00 committed by GitHub
commit 636ced6d4d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
pages/01.administrate/06.overview/12.security/security.md
View file

@ -7,13 +7,13 @@ routes:
default: '/security'
---
YunoHost has been developed to provide the best security without too much complication. Every protocol used in YunoHost is **encrypted**, only password's hashes are stored and by default each user is able to access their personal directory only.
YunoHost has been developed to provide the best security without too much complication. Every protocol used in YunoHost is **encrypted**, only a password's hashes are stored and by default each user is able to access their personal directory only.
Two things remain important to note:
* Installing additional apps can **significantly increase** the number of potential security flaws. Do not hesitate to get information about security flaws **before installing an app**, and try to install only apps which will suit your needs.
* Installing additional apps can **significantly increase** the number of potential security flaws. Do not hesitate to get information about security flaws **before installing an app**, and try to only install apps which will suit your needs.
* The fact that YunoHost is a well-spread software increases the chances of an attack. If a flaw is discovered, it could potentially affect all the YunoHost instances at once. Keep your system **up-to-date** to remain safe. Updates can be automated by installing the ["Unattended_upgrades" app](https://install-app.yunohost.org/?app=unattended_upgrades).
* The fact that YunoHost is a well-known and used piece of software increases the chances of an attack. If a flaw is discovered, it could potentially affect all YunoHost instances at once. Keep your system **up-to-date** to remain safe. Updates can be automated by installing the ["Unattended_upgrades" app](https://install-app.yunohost.org/?app=unattended_upgrades).
!!!! If you need advice, do not hesitate to [ask us](/help).
@ -23,9 +23,9 @@ Two things remain important to note:
## Improve security
If your YunoHost server is used in a critical production environment, or if you want to improve its safety, you may want to follow those good practices.
If your YunoHost server is used in a critical production environment, or if you want to improve its safety, you may want to follow these good practices.
! **WARNING:** Following those instructions requires advanced knowledge of system administration.
! **WARNING:** Following these instructions requires advanced knowledge of system administration.
!!!! **TIP** Never close your current SSH connection before checking that your alterations work. Test your new configuration by opening a new terminal or window. That way, you can undo your alterations if anything goes wrong.
@ -40,13 +40,13 @@ ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>
```
!!! If you meet permissions issues, set `username` as owner of the dir `~/.ssh` with `chown`. Be careful, for security reason this directory should be in mode `700`.
!!! If you run into permissions issues, set `username` as owner of the dir `~/.ssh` with `chown`. Be careful, for security reasons this directory should be in mode `700`.
!!! If you are on Ubuntu 16.04 you should run `ssh-add` to initialize the SSH agent.
Type your admnistration password and your key will be copied on your server.
Type your admnistration password and your key will be copied onto your server.
**On your server**, the edition of the SSH configuration file in order to deactivate the password authentication is handled by a system setting:
**On your server**, editing the SSH configuration file to deactivate password authentication is handled by a system setting:
```bash
sudo yunohost settings set security.ssh.password_authentication -v no
@ -55,14 +55,14 @@ sudo yunohost settings set security.ssh.password_authentication -v no
### Modify the SSH port
To prevent SSH connection attempts by robots that scan the Internet for any server with SSH enabled, you can change the SSH port.
To prevent SSH connection attempts by robots that scan the internet for any server with SSH enabled, you can change the SSH port.
This is handled by a system setting, which takes care of updating the SSH and Fail2Ban configuration.
```bash
sudo yunohost settings set security.ssh.port -v <new_ssh_port_number>
```
**For the next SSH connections**, you need to add the `-p` option followed by the SSH port number.
**For subsequent SSH connections**, you need to add the `-p` option followed by the SSH port number.
**Sample**:
@ -74,7 +74,7 @@ ssh -p <new_ssh_port_number> admin@<your_yunohost_server>
### Change cipher compatibility configuration
The default TLS configuration for services tends to offer good compatibility to support old devices. You can tune this policy for specific services like SSH and NGINX. By default, the NGINX configuration follows the [intermediate compatibility recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29) from Mozilla. You can choose to switch to the 'modern' configuration which uses more recent security recommendations, but decreases the compatibility, which may be an issue for your users and visitors using older devices. More details about the compatibility can be found on [this page](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility).
The default TLS configuration for services tends to offer good compatibility to support old devices. You can tune this policy for specific services like SSH and NGINX. By default, the NGINX configuration follows the [intermediate compatibility recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29) from Mozilla. You can choose to switch to the 'modern' configuration which uses more recent security recommendations, but decreases compatibility, which may be an issue for your users and visitors using older devices. More details about compatibility can be found on [this page](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility).
Changing the compatibility level is not definitive and can be reverted if it doesn't fit with your environment.