wiki:administration/security
close Warning: Can't synchronize with repository "(default)" (/usr/svn/silverfile does not appear to be a Subversion repository.). Look in the Trac log for more information.

Version 5 (modified by hank, 13 years ago) (diff)

firewall

SilverFile Security Policies

Central Key Instance on Slicehost

We have created a highly secure instance on slicehost (jump.silverfilecorp.com). This is where the private key files are located which allow access to the SilverFile servers.

Central Instance Users

root and sudo actions : Only the master administrator (hank) has root and sudo privileges.

sfkeys : This user creates keys for each SilverFile appliance. A separate key pair with passphrase is created for each SilverFile appliance. Access to sfkeys is only via sudo. Therefore only the master administrator has access to this account. Sfkeys writes new passphrases to the

sfpass : All administrators have access to this user by su with a password. Sfpass keeps the passphrase file(s) from the ssh keys.

admin users : Currently hank, ryan, and greg.

Central Instance Setup

The central instance (jump.silverfilecorp.com) is a virtual host on Slicehost. We are using the default configuration (as configured when creating a new slice) of Ubuntu 9.04. We have made some custom configurations to augment security:

Firewall - set to allow connections only on port 2222.

ufw allow 2222
ufw logging on
ufw enable
ufw status

sshd configuration - add the following to /etc/ssh/sshd_config. This will:

  • Make sshd listen on port 2222
  • Deny ssh access to root, sfkeys, sfpass (admins must sudo or su to these users)
  • Limit number of tries to authenticate to 3 attempts in one ssh session, which might help with brute force attacks.
PermitRootLogin no
DenyUsers root sfkeys sfpass
MaxAuthTries 3

Sudo requires target password For additional security sudo requires root password, instead of admin user. Using the visudo command edit the 'Defaults' line:

Defaults        env_reset,targetpw

Key Creation

sfkeys user creates a key pair for each SilverFile appliance. Use the following command:

ssh-keygen

Private and public keys are stored in these directories respectively:

/home/sfkeys/private/
/home/sfkeys/public/

Passphrase Edit/Access?

Master passphrase file is located in the sfpass home and called passphrase-master.gpg This file is edited by sfkeys in encrypted form only.

Admins will have separate passphrase files located at /home/sfpass/passphrase-<admin>.gpg. At this time we just have one passphrase file located at /home/sfpass/passphrase.gpg which is readable by all admins.

To render the decrypted passphrase file to STDOUT (note the additional dash):

gpg -o - /home/sfpass/passphrase.gpg

Never save decrypted passphrase file to disk- View standard out only, and cut/paste passphrase to another terminal

For tips on creating and editing GPG files view the Using GPG section in the administration guide.

Tunneling to specific SilverFile appliance

From your local terminal, to get to sf001 for instance:

ssh -p 2222 jump.silverfilecorp.com -L 2230:sf001.silverfilecorp.com:2222
ssh -p 2230 -i sf001.key sf@localhost

Passwords Kept By Administrators

Master Administrator:

  • root@…
  • sfkeys@…

Administrator

  • sfkeys@…
  • Decryption password to passphrase-master.gpg

Appliance Firewall

Please see the section under [wiki/servers/setup-condensed#Firewall Firewall ] in the general SF server setup guide.

Appliance Users and Groups

SilverFile Devices will have the following users:

sf: Admin user for the appliance. Remote access via ssh is limited to IP of slicehost, and access is only granted with a key located on the central slicehost instance (jump.silverfilecorp.com) sf sudos into root - this will require a password which SilverFile sysadmins will know and protect. Password is standardized.

fileuser: is a system user just for samba access. Windows usernames, i.e. first name of the principal attorney, will map to fileuser in /etc/samba/smbusers Fileuser will not have shell access. They will be setup using the nologin shell i.e. useradd -s /usr/sbin/nologin fileuser

We will setup the following group to grant access to the main FILES repository:

fileusers: This group will consist of sf, www-data, and fileuser, and will grant read/write access to /FILES directory

MySql Security

MySql Users

root: Required to create silverfile table. Used for creating table. Password is standardized.

sf: Password for sf user in mysql will be uniquely generated for each sf-app instance. Authentication credentials are in the sf-app settings.py file.