Securing your portal - SonarSoftware/customer_portal GitHub Wiki

Since the customer portal contains a text file with API credentials, it is absolutely imperative that it is properly secured to prevent unauthorized access. There are some simple steps you can take to secure your portal, which are detailed below.

Leaving your portal completely unsecured is a sure recipe for getting your Sonar instance attacked.

Locking Down The Server

The best thing to do is to lock down the portal so that only the needed ports are exposed. You should also setup an SSH key for remote access. Let's start by configuring the firewall - we're going to use ufw to do this (the Ubuntu firewall.)

First, we want to make sure we allow remote access via SSH from an authorized IP. You should block all SSH access to your portal except from some authorized IP you control. This could be the IP of your office, the IP of a secure VPN, or some other IP that is strictly under your control. To do this, enter /usr/sbin/ufw allow from 1.2.3.4 to any port 22 where 1.2.3.4 is your authorized IP. This will ensure that only connections from 1.2.3.4 are allowed to SSH into your portal on port 22.

Next, we want to make sure we allow anyone to connect to port 80 or 443, so that your customers can always access the portal. To do this, enter /usr/sbin/ufw allow 80 and /usr/sbin/ufw allow 443. This will allow people to connect to port 80 or 443, regardless of their IP.

Finally, we need to enable the firewall. Note that once you do this, unless you are connected via SSH from the IP we used in the first rule, you will be disconnected! To enable the firewall, type /usr/sbin/ufw enable. Great! Your server is now significantly more secure than most - only ports 80 and 443 are fully open, and port 22 is closed unless a user is on the authorized IP you specified.

The next step is to only allow SSH connections from a user with the proper authorized key. Here's a good tutorial on creating an SSH key. This can be slightly complex, but is a good security measure. If you decide not to use SSH keys, ensure that your SSH password is very strong - even with the firewall in place, you should always use a strong password. You can use something like KeePass to generate and store strong, random passwords. Even with the firewall, make sure you use an SSH key or generate a very strong password!

If you have decided not to use SSH keys, you should also install fail2ban. Even though you've restricted SSH access to a single IP, it's worth adding some additional security. To install fail2ban, type apt-get install fail2ban. This will install fail2ban with a default configuration that will block SSH access for 10 minutes if someone fails to authenticate 3 times. You can configure a lot of additional settings with fail2ban - check out this full tutorial.

Automatically Installing Security Updates

Ubuntu provides an option to automatically install security updates when they become available. To enable this, run /usr/sbin/dpkg-reconfigure --priority=low unattended-upgrades. You should still keep an eye on Ubuntu security notices as some updates require a server restart. It's probably a good habit to get into to SSH in and restart your portal server regularly to ensure any needed updates are properly applied.