doc/security.md

163 lines
5.3 KiB
Markdown

# Security
YunoHost has been developed to provide the best security without too much complication. Every protocol used in YunoHost are **encrypted**, only password's hash are stored and by default each user is able to access to his personal directory only.
Two things remain important to note:
* Installing additional apps can **significantly increase** the number of potential security flaws. Do not hesitate to get information about security flaws **before installing an app**, and try to install only apps which will suit your needs.
* The fact that YunoHost is a well-spread software increases the chances of an attack. If a flaw is discovered, it could potentially affect all the YunoHost instances at once. Keep your system **up-to-date** to remain safe.
*If you need advice, do not hesitate to [ask us](/help).*
*To talk about security flaws, contact the [YunoHost security team](/security_team).*
---
## Improve security
If your YunoHost server is used in a critical production environment, or if you want to improve its safety, you may want to follow those good practices.
**Attention:** *Following those instructions requires advanced knowledge of system administration.*
### SSH authentication via key
By default, the SSH authentication uses the administration password. Deactivating this kind of authentication and replacing it by a key mechanism is advised.
**On your client**:
```bash
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub <your_yunohost_server>
```
Type your admnistration password and your key will be copied on your server.
**On your server**, edit the SSH configuration file, in order to deactivate the password authentication.
```bash
nano /etc/ssh/sshd_config
# Modify or add the following line
PasswordAuthentication no
```
Save and restart SSH daemon.
```bash
systemctl restart ssh
```
---
### Modify SSH port
To prevent SSH connection attempts by robots that scan the Internet for any servers with SSH accessible, you can change the SSH port.
**On your server**, edit the ssh configuration file, in order to modify SSH port.
```bash
nano /etc/ssh/sshd_config
```
**Search line "Port" and replace** port number (by default 22) by another not used number
```bash
# What ports, IPs and protocols we listen for
Port 22 # to replace by 9777 for example
```
**Open the port** in firewall (you can use -6 option to limit forbid ipv4 connexion)
```bash
yunohost firewall allow TCP 9777
```
Save and restart SSH daemon. Switch over to the new port by restarting SSH.
```bash
systemctl restart ssh
```
Then restart the iptables firewall and close the old port in iptables.
```bash
yunohost firewall reload
yunohost firewall disallow <your_old_ssh_port_number> # port by default 22
```
You also need to give fail2ban the new SSH port.
To do that you need to create the configuration file `my_ssh_port.conf` with the command
```bash
nano /etc/fail2ban/jail.d/my_ssh_port.conf
```
and you can fill it with
```
[sshd]
port = <votre_numero_de_port_ssh>
[sshd-ddos]
port = <votre_numero_de_port_ssh>
```
Finally you have to restart fail2ban in order to apply the new configuration
```bash
systemctl restart fail2ban.service
```
**For the next SSH connections ** you need to add the `-p` option followed by the SSH port number.
**Sample**:
```bash
ssh -p <new_ssh_port_number> admin@<your_yunohost_server>
```
---
### Change the user authorized to connect via SSH
To avoid multiple forced login attempts to admin by robots, change the authorized user who can connect.
<div class="alert alert-info" markdown="1">
In the case of a key authentication, a brute force attack has no chance of succeeding. This step is not really useful in this case.
</div>
**On your server**, add a user
```bash
sudo adduser user_name
```
Choose a strong password, since this user will be responsible to obtain root privileges.
Add the user to sudo group to allow him/her to perform maintenance tasks that require root privileges.
```bash
sudo adduser user_name sudo
```
Now, change the SSH configuration to allow the new user to connect.
**On your server**, edit the SSH configuration file
```bash
sudo nano /etc/ssh/sshd_config
# Look for the section "Authentication" and add at the end of it:
AllowUsers user_name
```
Only users listed in the AllowUsers directive will then be allowed to connect via SSH, which excludes the admin user.
Save and restart SSH daemon.
```bash
systemctl restart ssh
```
---
### Disable YunoHost API
YunoHost administration is accessible through an **HTTP API**, served on the 6787 port by default. It can be used to administrate a lot of things on your server, so malicious actors can also use it to damage your server. The best thing to do, if you know how to use the [command-line interface](/commandline), is to deactivate the `yunohost-api` service.
```bash
sudo service yunohost-api stop
```
### YunoHost penetration test
Some [pentests](https://en.wikipedia.org/wiki/Penetration_test) have been done on a YunoHost 2.4 instance (french):
- [1) Preparation](https://exadot.fr/blog/2016-07-03-pentest-dune-instance-yunohost-1-preparation)
- [2) The functionning](https://exadot.fr/blog/2016-07-12-pentest-dune-instance-yunohost-2-le-fonctionnement)
- [3) Black Box Audit](https://exadot.fr/blog/2016-08-26-pentest-dune-instance-yunohost-3-audit-en-black-box)
- [4) Grey Box Audit](https://exadot.fr/blog/2016-11-03-pentest-dune-instance-yunohost-4-audit-en-grey-box)