5.3 KiB
Security
YunoHost has been developed to provide the best security without too much complication. Every protocol used in YunoHost are encrypted, only password's hash are stored and by default each user is able to access to his personal directory only.
Two things remain important to note:
-
Installing additional apps can significantly increase the number of potential security flaws. Do not hesitate to get information about security flaws before installing an app, and try to install only apps which will suit your needs.
-
The fact that YunoHost is a well-spread software increases the chances of an attack. If a flaw is discovered, it could potentially affect all the YunoHost instances at once. Keep your system up-to-date to remain safe.
If you need advice, do not hesitate to ask us.
To talk about security flaws, contact the YunoHost security team.
Improve security
If your YunoHost server is used in a critical production environment, or if you want to improve its safety, you may want to follow those good practices.
Attention: Following those instructions requires advanced knowledge of system administration.
SSH authentication via key
By default, the SSH authentication uses the administration password. Deactivating this kind of authentication and replacing it by a key mechanism is advised.
On your client:
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub <your_yunohost_server>
Type your admnistration password and your key will be copied on your server.
On your server, edit the SSH configuration file, in order to deactivate the password authentication.
nano /etc/ssh/sshd_config
# Modify or add the following line
PasswordAuthentication no
Save and restart SSH daemon.
systemctl restart ssh
Modify SSH port
To prevent SSH connection attempts by robots that scan the Internet for any servers with SSH accessible, you can change the SSH port.
On your server, edit the ssh configuration file, in order to modify SSH port.
nano /etc/ssh/sshd_config
Search line "Port" and replace port number (by default 22) by another not used number
# What ports, IPs and protocols we listen for
Port 22 # to replace by 9777 for example
Open the port in firewall (you can use -6 option to limit forbid ipv4 connexion)
yunohost firewall allow TCP 9777
Save and restart SSH daemon. Switch over to the new port by restarting SSH.
systemctl restart ssh
Then restart the iptables firewall and close the old port in iptables.
yunohost firewall reload
yunohost firewall disallow <your_old_ssh_port_number> # port by default 22
You also need to give fail2ban the new SSH port.
To do that you need to create the configuration file my_ssh_port.conf
with the command
nano /etc/fail2ban/jail.d/my_ssh_port.conf
and you can fill it with
[sshd]
port = <votre_numero_de_port_ssh>
[sshd-ddos]
port = <votre_numero_de_port_ssh>
Finally you have to restart fail2ban in order to apply the new configuration
systemctl restart fail2ban.service
**For the next SSH connections ** you need to add the -p
option followed by the SSH port number.
Sample:
ssh -p <new_ssh_port_number> admin@<your_yunohost_server>
Change the user authorized to connect via SSH
To avoid multiple forced login attempts to admin by robots, change the authorized user who can connect.
On your server, add a user
sudo adduser user_name
Choose a strong password, since this user will be responsible to obtain root privileges. Add the user to sudo group to allow him/her to perform maintenance tasks that require root privileges.
sudo adduser user_name sudo
Now, change the SSH configuration to allow the new user to connect. On your server, edit the SSH configuration file
sudo nano /etc/ssh/sshd_config
# Look for the section "Authentication" and add at the end of it:
AllowUsers user_name
Only users listed in the AllowUsers directive will then be allowed to connect via SSH, which excludes the admin user.
Save and restart SSH daemon.
systemctl restart ssh
Disable YunoHost API
YunoHost administration is accessible through an HTTP API, served on the 6787 port by default. It can be used to administrate a lot of things on your server, so malicious actors can also use it to damage your server. The best thing to do, if you know how to use the command-line interface, is to deactivate the yunohost-api
service.
sudo service yunohost-api stop
YunoHost penetration test
Some pentests have been done on a YunoHost 2.4 instance (french):