Passa al contenuto principale

πŸ”’ Security

informazioni

When thinking and discussing security β€” whether in the context of YunoHost or any other system β€”, please keep in mind that security is not a binary state, but an ongoing practice. The term "security" is essentially meaningless without specifying what exactly we are securing against. The 'threats' to consider depend on your context, and can range from automated attacks from bots roaming the Internet, to sophisticated state actors like the NSA, or supply chain vulnerabilities (e.g., compromised software dependencies), or basic risks such as your own users employing overly simple passwords, or your worst enemy from elementary school 20 years ago trying to hack into your server...

YunoHost is developped with security in mind, and designing good tradeoff between security and usability. Here's a non-exhaustive list of security aspects that the project is implementing:

  • a firewall based on nftables to restrict incoming traffic to relevant ports ;
  • fail2ban, a software that automatically rejects traffic from malicious IPs trying to brute force SSH and other services ;
  • using Mozilla's recommendations for NGINX, Postfix, Dovecot, SSH ciphers etc. ;
  • checking that user password/passphrase are not too simple when definining them ;
  • hashing user passwords (salted SHA512 in LDAP for example) ;
  • being vigilant on UNIX file/dir permissions accross the whole system ;
  • apps are typically ran using a dedicated user, and with restricted capabilities ;
  • auto-redacting sensitive informations from YunoHost operation logs and when sharing them with Yunopaste ;
  • ...

In addition, the project has mid-term goals to implement:

informazioni

To discuss security flaws in YunoHost, contact the project's security team.

Basic security advices​

Security is not a one-time setup, it's an active, ongoing practice. Here are some basic practice that you should implement:

warning

Using stupidly simple passwords is arguably the number one reason why servers get "hacked". You and your users using reasonably complex passwords/passphrases is the basis of any good security.

  1. as an admin, forget traditional passwords. Use reasonably complex passphases. Learn about password managers.
  2. keep your server and apps reasonably up to date. Consider using the unattended upgrades app for automatic upgrades ;
  3. be aware that each app you install is an additional "attack surface". Ideally, check the security reputation of every app you install. Do not just install random apps and then forget about them. Uninstall apps that you no longer use ;
  4. only create accounts for people that you have some amount of trust into, in particular that they will use decent passwords/passphrases and decent security hygiene in general ;
  5. regularly check the forum and social media (e.g. YunoHost's Mastodon account) to stay informed when vulnerabilities are discovered or important fixes are released.

The following sections describe possible ways to further harden the security of your server.

SSH authentication via key​

By default, the SSH authentication uses the administration password. Deactivating this kind of authentication and replacing it by a key mechanism is advised.

On your client:

ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>
suggerimento

If you run into permissions issues, set username as owner of the dir ~/.ssh with chown. Be careful, for security reasons this directory should be in mode 700.
If you are on Ubuntu 16.04 you should run ssh-add to initialize the SSH agent.

Type your admnistration password and your key will be copied onto your server.

On your server, editing the SSH configuration file to deactivate password authentication is handled by a system setting:

sudo yunohost settings set security.ssh.ssh_password_authentication -v no
pericolo

Never close your current SSH connection before checking that your alterations work. Test your new configuration by opening a new terminal or window. That way, you can undo your alterations if anything goes wrong.

Using a custom port for SSH​

To prevent SSH connection attempts by robots that scan the internet for any server with SSH enabled, you can change the SSH port. This is handled by a system setting, which takes care of updating the SSH and Fail2Ban configuration.

Note that changing the port is still useful even if you've disabled password authentication, because that significantly reduces noise from brute force attempts in SSH logs.

warning

If you manually modify anything in the SSH server configuration (/etc/ssh/sshd_config), YunoHost's regen-conf mechanism will no longer automatically update this file. For this reason, always use the YunoHost admin tools to make changes to the systems configuration files!

sudo yunohost settings set security.ssh.ssh_port -v <new_ssh_port_number>

For subsequent SSH connections, you need to add the -p option followed by the SSH port number.

ssh -p <new_ssh_port_number> admin@<your_yunohost_server>
pericolo

Never close your current SSH connection before checking that your alterations work. Test your new configuration by opening a new terminal or window. That way, you can undo your alterations if anything goes wrong.

Hardening cipher used by NGINX, SSH, Dovecot, Postfix​

The default TLS configuration for services tends to offer good compatibility to support old devices. You can tune this policy for specific services like SSH and NGINX. By default, the NGINX configuration follows the intermediate compatibility recommendation from Mozilla. You can choose to switch to the 'modern' configuration which uses more recent security recommendations, at the cost of decreasing compatibility, which may be an issue for your users and visitors using older devices. More details about compatibility can be found on this page.

Changing the compatibility level is not definitive and can be reverted if it doesn't fit with your environment.

On your server, change the policy for NGINX

sudo yunohost settings set security.nginx.nginx_compatibility -v modern

On your server, change the policy for SSH

sudo yunohost settings set security.ssh.ssh_compatibility -v modern

Disabling the YunoHost API​

YunoHost administration is accessible through an HTTP API, which is the API used by the webadmin. This may be an additional, unecessary attack surface if you are not planning to use it. In this case, you can disable the corresponding service entirely via command line:

warning

This will completely disable both YunoHost's API and the web administration panel that relies on it. Proceed only if you are comfortable with exclusively using the command line from now on.

sudo systemctl disable yunohost-api
sudo systemctl stop yunohost-api

As yunohost-api is now disabled and not running, Diagnosis will report an error. This error can be ignored using:

sudo yunohost diagnosis ignore --filter services service=yunohost-api