From 9ec4eef6b00beb6f80e2803c295a4e7d8e871480 Mon Sep 17 00:00:00 2001 From: "ma.azimi@laposte.net" Date: Wed, 20 Jan 2016 17:04:35 +0100 Subject: [PATCH] Update security.md --- security.md | 83 +++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 78 insertions(+), 5 deletions(-) diff --git a/security.md b/security.md index f34f127a..86faf261 100644 --- a/security.md +++ b/security.md @@ -13,13 +13,11 @@ Two things remain important to note: --- ## Improve security - If your YunoHost server is used in a critical production environment, or if you want to improve its safety, you may want to follow those good practices. **Attention:** *Following those instructions requires advanced knowledges in system administration.* ### SSH authentication via key - By default, the SSH authentication uses the administration password. Deactivation this kind of authentication and replacing it by a key mechanism is advised. **On your client**: @@ -44,11 +42,86 @@ Save and restart SSH daemon. --- -### Deactivate YunoHost API +### Modify SSH port +To prevent SSH connection attempts by robots that scan the Internet for any attempt SSH connections with any server accessible, you can change the SSH port. + +**On your server**, edit the ssh configuration file, in order to modify SSH port. + +```bash +nano /etc/ssh/sshd_config + +# Search line "Port" and remplace port number (by default 22) by another not used number +Port 22 # to replace by 9777 for example +``` + +To prevent YunoHost overwrites the configuration of the SSH server you must edit the file `/etc/yunohost/yunohost.conf` and change ligne ssh to yes + +```bash +ssh=yes +``` + +Save and restart SSH daemon. + +Then restart the iptables firewall and close the old port in iptables. + +```bash +yunohost firewall reload +yunohost firewall disallow # port by default 22 +yunohost firewall disallow --ipv6 TCP # for ipv6 +``` + +**For the next SSH connections ** you need to add the `-p` option followed by the SSH port number. + +**Sample**: + +```bash +ssh -p admin@ +``` + +--- + +### Change the user authorized to connect via SSH + +To avoid multiple forcing the admin login attempts by robots, it can possibly change the authorized user to connect. + +
+In the case of a key authentication, brute force has no chance of succeeding. This step is not really useful in this case +
+ +**On your server**, add a user +```bash +sudo adduser user_name +``` +Choose a strong password, since it is the user who will be responsible to obtain root privileges. +Add the user to sudo group so just to allow him to perform maintenance tasks that require root privileges. +```bash +sudo adduser user_namesudo +``` + +Now, change the SSH configuration to allow the new user to connect. +**On your server**, edit the SSH configuration file +```bash +sudo nano /etc/ssh/sshd_config + +# Look for the section "Authentication" and add at the end of it: +AllowUsers user_name +``` +Only users listed in the AllowUsers directive will then be allowed to connect via SSH, which excludes the admin user. + +To prevent yunohost overwrites the configuration of the SSH server you must edit the file `/etc/yunohost/yunohost.conf` et pass ligne ssh to yes + +```bash +ssh=yes +``` + +Save and restart SSH daemon. + +--- + +### Disable YunoHost API YunoHost administration is accessible through an **HTTP API**, served on the 6787 port by default. It can be used to administrate a lot of things on your server, thus to break many things between malicious hands. The best thing to do, if you know how to use the [command-line interface](/moulinette), is to deactivate the `yunohost-api` service. ```bash sudo service yunohost-api stop -``` - +``` \ No newline at end of file