mirror of
https://github.com/YunoHost/doc.git
synced 2024-09-03 20:06:26 +02:00
51 lines
2.1 KiB
Markdown
51 lines
2.1 KiB
Markdown
# Security
|
|
|
|
YunoHost has been developed to provide the best security without too much complication. Every protocol used in YunoHost are **encrypted**, only password's hash are stored and by default each user is able to access to his personal directory only.
|
|
|
|
Two things remain important to note:
|
|
|
|
* Installing additional apps can **increase significantly** the number of potential security flaws. Do not hesitate to get information about them **before using it**, and try to install only those which will suit your needs.
|
|
|
|
* The fact that YunoHost is a well-spread software increase chances to face an attack. If a flaw is discovered, it could potentially affect all the YunoHost instances at once. Keep your system **up-to-date** to remain safe.
|
|
|
|
*If you need some advises, do not hesitate to [ask us](/support).*
|
|
|
|
|
|
## Improve security
|
|
|
|
If your YunoHost server is used in a critical production environment, or if you want to improve its safety, you may want to follow those good practices.
|
|
|
|
**Attention :** *Following those instructions requires advanced knowledges in system administration.*
|
|
|
|
### SSH authentication via key
|
|
|
|
By default, the SSH authentication uses the administration password. Deactivation this kind of authentication and replacing it by a key mechanism is advised.
|
|
|
|
**On your client**:
|
|
|
|
```bash
|
|
ssh-keygen
|
|
ssh-copy-id -i ~/.ssh/id_rsa.pub <your_yunohost_server>
|
|
```
|
|
|
|
Type your admnistration password and your key will be copied on your server.
|
|
|
|
**On your server**, edit the SSH configuration file, in order to deactivate the password authentication.
|
|
|
|
```bash
|
|
nano /etc/ssh/sshd_config
|
|
|
|
# Modify or add the following line
|
|
PasswordAuthentication no
|
|
```
|
|
|
|
Save and restart SSH daemon.
|
|
|
|
### Deactivate YunoHost API
|
|
|
|
YunoHost administration is accessible through an **HTTP API**, served on the 6787 port by default. It can be used to administrate a lot of things on your server, thus to break many things between malicious hands. The best thing to do, if you know how to use the [command-line interface](/moulinette), is to deactivate the `yunohost-api` service.
|
|
|
|
```bash
|
|
sudo service yunohost-api stop
|
|
```
|
|
|