π Security
When thinking and discussing security β whether in the context of YunoHost or any other system β, please keep in mind that security is not a binary state, but an ongoing practice. The term "security" is essentially meaningless without specifying what exactly we are securing against. The 'threats' to consider depend on your context, and can range from automated attacks from bots roaming the Internet, to sophisticated state actors like the NSA, or supply chain vulnerabilities (e.g., compromised software dependencies), or basic risks such as your own users employing overly simple passwords, or your worst enemy from elementary school 20 years ago trying to hack into your server...
YunoHost is developped with security in mind, and designing good tradeoff between security and usability. Here's a non-exhaustive list of security aspects that the project is implementing:
- a firewall based on
nftablesto restrict incoming traffic to relevant ports ; fail2ban, a software that automatically rejects traffic from malicious IPs trying to brute force SSH and other services ;- using Mozilla's recommendations for NGINX, Postfix, Dovecot, SSH ciphers etc. ;
- checking that user password/passphrase are not too simple when definining them ;
- hashing user passwords (salted SHA512 in LDAP for example) ;
- being vigilant on UNIX file/dir permissions accross the whole system ;
- apps are typically ran using a dedicated user, and with restricted capabilities ;
- auto-redacting sensitive informations from YunoHost operation logs and when sharing them with Yunopaste ;
- ...
In addition, the project has mid-term goals to implement:
- password self-reset for users ;
- automatic warnings about vulnerabilities (via the Diagnosis, not via the forum or social media) ;
- supporting OIDC and 2FA ;
- better support for SSH keys, in particular making them configurable from the webadmin ;
- further constrain and limit application capabilities to only what they need (cf. packaging v3) ;
- ...
To discuss security flaws in YunoHost, contact the project's security team.
Basic security advicesβ
Security is not a one-time setup, it's an active, ongoing practice. Here are some basic practice that you should implement:
Using stupidly simple passwords is arguably the number one reason why servers get "hacked". You and your users using reasonably complex passwords/passphrases is the basis of any good security.
- as an admin, forget traditional passwords. Use reasonably complex passphases. Learn about password managers.
- keep your server and apps reasonably up to date. Consider using the unattended upgrades app for automatic upgrades ;
- be aware that each app you install is an additional "attack surface". Ideally, check the security reputation of every app you install. Do not just install random apps and then forget about them. Uninstall apps that you no longer use ;
- only create accounts for people that you have some amount of trust into, in particular that they will use decent passwords/passphrases and decent security hygiene in general ;
- regularly check the forum and social media (e.g. YunoHost's Mastodon account) to stay informed when vulnerabilities are discovered or important fixes are released.
The following sections describe possible ways to further harden the security of your server.
SSH authentication via keyβ
By default, the SSH authentication uses the administration password. Deactivating this kind of authentication and replacing it by a key mechanism is advised.
On your client:
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>
If you run into permissions issues, set username as owner of the dir ~/.ssh with chown. Be careful, for security reasons this directory should be in mode 700.
If you are on Ubuntu 16.04 you should run ssh-add to initialize the SSH agent.
Type your admnistration password and your key will be copied onto your server.
On your server, editing the SSH configuration file to deactivate password authentication is handled by a system setting:
sudo yunohost settings set security.ssh.ssh_password_authentication -v no
Never close your current SSH connection before checking that your alterations work. Test your new configuration by opening a new terminal or window. That way, you can undo your alterations if anything goes wrong.
Using a custom port for SSHβ
To prevent SSH connection attempts by robots that scan the internet for any server with SSH enabled, you can change the SSH port. This is handled by a system setting, which takes care of updating the SSH and Fail2Ban configuration.
Note that changing the port is still useful even if you've disabled password authentication, because that significantly reduces noise from brute force attempts in SSH logs.
If you manually modify anything in the SSH server configuration (/etc/ssh/sshd_config), YunoHost's regen-conf mechanism will no longer automatically update this file. For this reason, always use the YunoHost admin tools to make changes to the systems configuration files!
sudo yunohost settings set security.ssh.ssh_port -v <new_ssh_port_number>
For subsequent SSH connections, you need to add the -p option followed by the SSH port number.
ssh -p <new_ssh_port_number> admin@<your_yunohost_server>
Never close your current SSH connection before checking that your alterations work. Test your new configuration by opening a new terminal or window. That way, you can undo your alterations if anything goes wrong.
Hardening cipher used by NGINX, SSH, Dovecot, Postfixβ
The default TLS configuration for services tends to offer good compatibility to support old devices. You can tune this policy for specific services like SSH and NGINX. By default, the NGINX configuration follows the intermediate compatibility recommendation from Mozilla. You can choose to switch to the 'modern' configuration which uses more recent security recommendations, at the cost of decreasing compatibility, which may be an issue for your users and visitors using older devices. More details about compatibility can be found on this page.
Changing the compatibility level is not definitive and can be reverted if it doesn't fit with your environment.
On your server, change the policy for NGINX
sudo yunohost settings set security.nginx.nginx_compatibility -v modern
On your server, change the policy for SSH
sudo yunohost settings set security.ssh.ssh_compatibility -v modern
Disabling the YunoHost APIβ
YunoHost administration is accessible through an HTTP API, which is the API used by the webadmin. This may be an additional, unecessary attack surface if you are not planning to use it. In this case, you can disable the corresponding service entirely via command line:
This will completely disable both YunoHost's API and the web administration panel that relies on it. Proceed only if you are comfortable with exclusively using the command line from now on.
sudo systemctl disable yunohost-api
sudo systemctl stop yunohost-api
As yunohost-api is now disabled and not running, Diagnosis will report an error. This error can be ignored using:
sudo yunohost diagnosis ignore --filter services service=yunohost-api