sec-sophos-umc.rst
100 lines
| 3.2 KiB
| text/x-rst
|
RstLexer
r2635 | .. _sec-sophos-umc: | ||
r2428 | |||
Securing Your Server via Sophos UTM 9 | |||
------------------------------------- | |||
Below is an example configuration for Sophos UTM 9 Webserver Protection:: | |||
Sophos UTM 9 Webserver Protection | |||
Web Application Firewall based on apache2 modesecurity2 | |||
-------------------------------------------------- | |||
1. Firewall Profiles -> Firewall Profile | |||
-------------------------------------------------- | |||
Name: RhodeCode (can be anything) | |||
Mode: Reject | |||
Hardening & Signing: | |||
[ ] Static URL hardeninig | |||
[ ] Form hardening | |||
[x] Cookie Signing | |||
Filtering: | |||
[x] Block clients with bad reputation | |||
[x] Common Threats Filter | |||
[ ] Rigid Filtering | |||
Skip Filter Rules: | |||
960015 | |||
950120 | |||
981173 | |||
970901 | |||
960010 | |||
960032 | |||
960035 | |||
958291 | |||
970903 | |||
970003 | |||
Common Threat Filter Categories: | |||
[x] Protocol violations | |||
[x] Protocol anomalies | |||
[x] Request limit | |||
[x] HTTP policy | |||
[x] Bad robots | |||
[x] Generic attacks | |||
[x] SQL injection attacks | |||
[x] XSS attacks | |||
[x] Tight security | |||
[x] Trojans | |||
[x] Outbound | |||
Scanning: | |||
[ ] Enable antivirus scanning | |||
[ ] Block uploads by MIME type | |||
-------------------------------------------------- | |||
2. Web Application Firewall -> Real Webservers | |||
-------------------------------------------------- | |||
Name: RhodeCode (can be anything) | |||
Host: Your RhodeCode-Server (UTM object) | |||
Type: Encrypted (HTTPS) | |||
Port: 443 | |||
-------------------------------------------------- | |||
3. Web Application Firewall -> Virual Webservers | |||
-------------------------------------------------- | |||
Name: RhodeCode (can be anything) | |||
Interface: WAN (your WAN interface) | |||
Type: Encrypted (HTTPS) & redirect | |||
Certificate: Wildcard or matching domain certificate | |||
Domains (in case of Wildcard certificate): | |||
rhodecode.yourcompany.com (match your DNS configuration) | |||
gist.yourcompany.com (match your DNS & RhodeCode configuration) | |||
Real Webservers for path '/': | |||
[x] RhodeCode (created in step 2) | |||
Firewall: RhodeCode (created in step 1) | |||
-------------------------------------------------- | |||
4. Firewall Profiles -> Exceptions | |||
-------------------------------------------------- | |||
Name: RhodeCode exceptions (can be anything) | |||
Skip these checks: | |||
[ ] Cookie signing | |||
[ ] Static URL Hardening | |||
[ ] Form hardening | |||
[x] Antivirus scanning | |||
[x] True file type control | |||
[ ] Block clients with bad reputation | |||
Skip these categories: | |||
[ ] Protocol violations | |||
[x] Protocol anomalies | |||
[x] Request limits | |||
[ ] HTTP policy | |||
[ ] Bad robots | |||
[ ] Generic attacks | |||
[ ] SQL injection attacks | |||
[ ] XSS attacks | |||
[ ] Tight security | |||
[ ] Trojans | |||
[x] Outbound | |||
Virtual Webservers: | |||
[x] RhodeCode (created in step 3) | |||
For All Requests: | |||
Web requests matching this pattern: | |||
/_channelstream/ws | |||
/Repository1/* | |||
/Repository2/* | |||
/Repository3/* |