Show More
sec-your-server.rst
179 lines
| 6.3 KiB
| text/x-rst
|
RstLexer
r1 | .. _sec-your-server: | |||
Securing Your Server | ||||
-------------------- | ||||
|RCE| runs on your hardware, and while it is developed with security in mind | ||||
it is also important that you ensure your servers are well secured. In this | ||||
section we will cover some basic security practices that are best to | ||||
configure when setting up your |RCE| instances. | ||||
SSH Keys | ||||
^^^^^^^^ | ||||
Using SSH keys to access your server provides more security than using the | ||||
standard username and password combination. To set up your SSH Keys, use the | ||||
following steps: | ||||
1. On your local machine create the public/private key combination. The | ||||
private key you will keep, and the matching public key is copied to the | ||||
server. Setting a passphrase here is optional, if you set one you will | ||||
always be prompted for it when logging in. | ||||
.. code-block:: bash | ||||
# Generate SSH Keys | ||||
user@ubuntu:~$ ssh-keygen -t rsa | ||||
.. code-block:: bash | ||||
Generating public/private rsa key pair. | ||||
Enter file in which to save the key (/home/user/.ssh/id_rsa): | ||||
Created directory '/home/user/.ssh'. | ||||
Enter passphrase (empty for no passphrase): | ||||
Enter same passphrase again: | ||||
Your identification has been saved in /home/user/.ssh/id_rsa. | ||||
Your public key has been saved in /home/user/.ssh/id_rsa.pub. | ||||
The key fingerprint is: | ||||
02:82:38:95:e5:30:d2:ad:17:60:15:7f:94:17:9f:30 user@ubuntu | ||||
r1120 | The key\'s randomart image is: | |||
r1 | +--[ RSA 2048]----+ | |||
2. SFTP to your server, and copy the public key to the ``~/.ssh`` folder. | ||||
.. code-block:: bash | ||||
# SFTP to your server | ||||
$ sftp user@hostname | ||||
# copy your public key | ||||
sftp> mput /home/user/.ssh/id_rsa.pub /home/user/.ssh | ||||
Uploading /home/user/.ssh/id_rsa.pub to /home/user/.ssh/id_rsa.pub | ||||
/home/user/.ssh/id_rsa.pub 100% 394 0.4KB/s 00:00 | ||||
3. On your server, add the public key to the :file:`~/.ssh/authorized_keys` | ||||
file. | ||||
.. code-block:: bash | ||||
$ cat /home/user/.ssh/id_rsa.pub > /home/user/.ssh/authorized_keys | ||||
You should now be able to log into your server using your SSH | ||||
Keys. If you've added a passphrase you'll be asked for it. For more | ||||
information about using SSH keys with |RCE| |repos|, see the | ||||
:ref:`ssh-connection` section. | ||||
VPN Whitelist | ||||
^^^^^^^^^^^^^ | ||||
Most company networks will have a VPN. If you need to set one up, there are | ||||
many tutorials online for how to do that. Getting it right requires good | ||||
knowledge and attention to detail. Once set up, you can configure your | ||||
|RCE| instances to only allow user access from the VPN, to do this see the | ||||
:ref:`settip-ip-white` section. | ||||
Public Key Infrastructure and SSL/TLS Encryption | ||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||||
Public key infrastructure (PKI) is a system that creates, manages, and | ||||
validates certificates for identifying nodes on a network and encrypting | ||||
communication between them. SSL or TLS certificates can be used to | ||||
authenticate different entities with one another. To read more about PKIs, | ||||
see the `OpenSSL PKI tutorial`_ site, or this `Cloudflare PKI post`_. | ||||
If the network you are running is SSL/TLS encrypted, you can configure |RCE| | ||||
to always use secure connections using the ``force_https`` and ``use_htsts`` | ||||
options in the :file:`/home/user/.rccontrol/instance-id/rhodecode.ini` file. | ||||
For more details, see the :ref:`x-frame` section. | ||||
FireWalls and Ports | ||||
^^^^^^^^^^^^^^^^^^^ | ||||
Setting up a network firewall for your internal traffic is a good way | ||||
of keeping it secure by blocking off any ports that should not be used. | ||||
Additionally, you can set non-default ports for certain functions which adds | ||||
an extra layer of security to your setup. | ||||
A well configured firewall will restrict access to everything except the | ||||
services you need to remain open. By exposing fewer services you reduce the | ||||
number of potential vulnerabilities. | ||||
There are a number of different firewall solutions, but for most Linux systems | ||||
using the built in `IpTables`_ firewall should suffice. On BSD systems you | ||||
can use `IPFILTER`_ or `IPFW`_. Use the following examples, and the IpTables | ||||
documentation to configure your IP Tables on Ubuntu. | ||||
Changing the default SSH port. | ||||
.. code-block:: bash | ||||
# Open SSH config file and change to port 10022 | ||||
vi /etc/ssh/sshd_config | ||||
# What ports, IPs and protocols we listen for | ||||
Port 10022 | ||||
Setting IP Table rules for SSH traffic. It is important to note that the | ||||
default policy of your IpTables can differ and it is worth checking how each | ||||
is configured. The options are *ACCEPT*, *REJECT*, *DROP*, or *LOG*. The | ||||
usual practice is to block access on all ports and then enable access only on | ||||
the ports you with to expose. | ||||
.. code-block:: bash | ||||
# Check iptables policy | ||||
$ sudo iptables -L | ||||
Chain INPUT (policy ACCEPT) | ||||
target prot opt source destination | ||||
Chain FORWARD (policy ACCEPT) | ||||
target prot opt source destination | ||||
Chain OUTPUT (policy ACCEPT) | ||||
target prot opt source destination | ||||
# Close all ports by default | ||||
$ sudo iptables -P INPUT DROP | ||||
$ sudo iptables -L | ||||
Chain INPUT (policy DROP) | ||||
target prot opt source destination | ||||
DROP all -- anywhere anywhere | ||||
Chain FORWARD (policy ACCEPT) | ||||
target prot opt source destination | ||||
Chain OUTPUT (policy ACCEPT) | ||||
target prot opt source destination | ||||
.. code-block:: bash | ||||
# Deny outbound SSH traffic | ||||
sudo iptables -A OUTPUT -p tcp --dport 10022 -j DROP | ||||
# Allow incoming SSH traffic on port 10022 | ||||
sudo iptables -A INPUT -p tcp --dport 10022 -j ACCEPT | ||||
# Allow incoming HTML traffic on port 80 and 443 | ||||
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT | ||||
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT | ||||
Saving your IP Table rules, and restoring them from file. | ||||
.. code-block:: bash | ||||
# Save you IP Table Rules | ||||
iptables-save | ||||
# Save your IP Table Rules to a file | ||||
sudo sh -c "iptables-save > /etc/iptables.rules" | ||||
# Restore your IP Table rules from file | ||||
iptables-restore < /etc/iptables.rules | ||||
.. _OpenSSL PKI tutorial: https://pki-tutorial.readthedocs.org/en/latest/# | ||||
.. _Cloudflare PKI post: https://blog.cloudflare.com/how-to-build-your-own-public-key-infrastructure/ | ||||
.. _IpTables: https://help.ubuntu.com/community/IptablesHowTo | ||||
.. _IPFW: https://www.freebsd.org/doc/handbook/firewalls-ipfw.html | ||||
.. _IPFILTER: https://www.freebsd.org/doc/handbook/firewalls-ipf.html | ||||