Security:Recommendations - liquidinvestigations/docs GitHub Wiki

Securing Production Servers

Data Storage

• set up encrypted storage

Network

Firewall

• firewall off all incoming connections except for destination ports HTTP (80), HTTPS (443), SSH (default 22).
• firewall off the Nomad network interface from all external connections.

Port forwarding is achieved through the cluster container using the forward_ports configuration value. On some distributions this does not work, set this value to blank:

# DISABLE PORT FORWARDING CONFIG (empty value)
forward_ports =

... and manually configure iptables/ufw:

export ZZZ=....

+ iptables -t nat -A PREROUTING -d $ZZZ -p tcp --dport 80 -j DNAT --to-destination 10.66.60.1:80
+ iptables -t nat -A PREROUTING -d $ZZZ -p udp --dport 80 -j DNAT --to-destination 10.66.60.1:80
+ iptables -t nat -A PREROUTING -d $ZZZ -p tcp --dport 443 -j DNAT --to-destination 10.66.60.1:443
+ iptables -t nat -A PREROUTING -d $ZZZ -p udp --dport 443 -j DNAT --to-destination 10.66.60.1:443

...

HTTPS

• Enable HTTPS and ensure the certificates are valid

Application

• Enable 2 factor authentication
• Enable auto logout
• Enable hoover rate limit

Update to latest

Follow the Maintenance page on keeping the system up to date and run the latest security patches. Please so subscribe to https://github.com/liquidinvestigations/node and https://github.com/liquidinvestigations/cluster releases to be notified when there's one.

Reporting Security Bugs

Please report all security-related bugs at [email protected] (pgp: 0x8234F8D4A624D9F4).