Bureaucrats, confirmed, Administrators
4,558
edits
Changes
Special:Badtitle/NS100:QualityBox/security (view source)
Revision as of 12:42, 21 September 2016
, 12:42, 21 September 2016add unattended-upgrades
# Install and configure a firewall (UFW)
# Install and configure fail2ban
# Automatically run OS and package security updateswith <code>[[Unattended upgrades|unattended-upgrades]]</code> <ref>In a typical MONTH there are dozens for security updates that should be applied. These need to happen automatically.<blockquote> Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-34-generic x86_64) * Documentation: https://help.ubuntu.com/ System information as of Wed Sep 21 16:15:53 UTC 2016 System load: 0.0 Processes: 129 Usage of /: 74.7% of 39.25GB Users logged in: 0 Memory usage: 27% IP address for eth0: 198.199.121.96 Swap usage: 0% IP address for eth1: 10.136.17.129 Graph this data and manage this system at: https://landscape.canonical.com/ 42 packages can be updated. <span style="color:red;">30 updates are security updates.</span></blockquote></ref>
=== Security and the Webserver ===
The QB is designed to use '''HTTPS everywhere''' (not [https://www.eff.org/https-everywhere the extension], but rather the concept). With that in mind, we're provisioning TLS Certificates using the [https://certbot.eff.org/ Certbot] client of the [https://letsencrypt.org/ letsencrypt] project. There is an 'extras' module for letsencrypt https://docs.ansible.com/ansible/letsencrypt_module.html Although we can automate certificates on a live server (one that has an A record in DNS), we need a manual step to prove ownership of any server that is not public. The manual step is to create a TXT record in the public DNS for the domain in question.<ref>https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-7.4</ref>
{{AI}} Finish the implementation of not just installation of the Certbot, but also the ability to create and verify private hosts