I was thinking about installing pi3web (in HTTPS mode)+quixplorer on my home computer to access my files remotely.
(I would have prefered a ssh, but most corporate firewalls won't let anything out but HTTP <grin>)
I started to take out all unnecessary features (demo CGI, documentation directories, default webpages, server identification, etc.) to reduce the risks.
I wonder if such a strenghtening guide exists ?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Such a guide currently doesn't exist yet but there's the configuration example 'internet.pi3'. This can be used as a starting point. I would appreciate if you write down the particular steps you performed in a reproducible way. I propose this in order to add this information to the Pi3-HowTo documentation later.
--
regards,
Holger
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Network
-------
- Router/NAT
- firewall
- DNS
- internet server in DMZ (not reachable through internal LAN)
- not listening on 0.0.0.0 (IPADDR_ANY)
Installation
------------
- use a dedicated host PC (not desktop)
- as Windows service
- disable remote administration option, if unused
- after installation succeeded remove
- all CGI, Fast-CGI, Windows-CGI and ISAPI examples from folders
Pi3Web/cgi-bin/, Pi3Web/fcgi-bin/, Pi3Web/cgi-win/ and Pi3Web/isapi/
- the server documentation from folder Pi3Web/Pi3Docs
- the default web pages
Configuration
-------------
- administration console as starting point for dummy users
- disable option 'verbose error messages' (tab 'General')
- disable remote administration option, if unused but selected during installation (tab 'General')
- remove unused mappings (tab 'Mappings')
- Document mapper to server documentation (pidocs)
- CGI mapper when CGI is not used
- Windows-CGI mapper when Windows-CGI is not used
- Fast-CGI mapper when Fast-CGI is not used
- ISAPI mapper when ISAPI is not used
- Document mapper to 'Logs' when the server logs are not inspected online
- Redirect mapper to 'pi3site' because this is an example and normally unused
- performance optimization may improve throughput and thus lower risk of DoS attacks (tab 'Performance')
- enable options like 'reuse threads' accordingly to administration/configuration guide
- switch off debug log after finishing optimizations
- enable authentication for sensible realms (tab 'Users')
- use NTLM or MD5 authentication method if possible
- basic authentication does not encrypt password information,
only secure in combination with SSL
- realms become effective by referencing them in URI mappings (defined in tab 'Mappings')
- enable SSL for secure communication with server (tab 'SSL')
- generate and use private key/server certificates in responsible way
(no key files in shared folders)
- enable SSL client authentication when mutual authentication is required
- Limit HTTP options (tab 'HTTP')
- disable HTTP verbs POST, PUT and DELETE if unused
- disable options 'Chunks' and 'Ranges' if unused
- check and adjust the list of index pages
- select sufficient, simple type of directory indexing (e.g. 'DOS style HTML index' in tab 'directory indexing')
- configure virtual hosts to separate content owned by different users
(tab 'Virtual hosts by name', 'Virtual host by IP')
- configure alternative TCP/IP interfaces when available, e.g. to separate
remote administration or LAN access to server from internet access (tab 'Interfaces')
- change the server stamp used to identify the server software in the HTTP protocol
(some mimicry could be helpful to confuse an attacker)
- internet.pi3 configuration template as starting point for advanced users
- as starting point for internet configurations
- if required add services accordingly to administration/configuration guide
- take all the advice from the previous topic into consideration
Operation
---------
- backup logfiles in regular intervals
- check error log in regular intervals
- configure a black list for suspicious client IPs:
- keep informed about security exploits in Pi3web and used 3rd party software
(e.g. PHP, openssl, perl, libxml, ...)
--
Your comments and additions are welcome.
regards,
Holger Zimmermann
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I was thinking about installing pi3web (in HTTPS mode)+quixplorer on my home computer to access my files remotely.
(I would have prefered a ssh, but most corporate firewalls won't let anything out but HTTP <grin>)
I started to take out all unnecessary features (demo CGI, documentation directories, default webpages, server identification, etc.) to reduce the risks.
I wonder if such a strenghtening guide exists ?
Such a guide currently doesn't exist yet but there's the configuration example 'internet.pi3'. This can be used as a starting point. I would appreciate if you write down the particular steps you performed in a reproducible way. I propose this in order to add this information to the Pi3-HowTo documentation later.
--
regards,
Holger
Here is a first, rough draft for a
Pi3Web Strengthening Guide
Network
-------
- Router/NAT
- firewall
- DNS
- internet server in DMZ (not reachable through internal LAN)
- not listening on 0.0.0.0 (IPADDR_ANY)
Installation
------------
- use a dedicated host PC (not desktop)
- as Windows service
- disable remote administration option, if unused
- after installation succeeded remove
- all CGI, Fast-CGI, Windows-CGI and ISAPI examples from folders
Pi3Web/cgi-bin/, Pi3Web/fcgi-bin/, Pi3Web/cgi-win/ and Pi3Web/isapi/
- the server documentation from folder Pi3Web/Pi3Docs
- the default web pages
Configuration
-------------
- administration console as starting point for dummy users
- disable option 'verbose error messages' (tab 'General')
- disable remote administration option, if unused but selected during installation (tab 'General')
- remove unused mappings (tab 'Mappings')
- Document mapper to server documentation (pidocs)
- CGI mapper when CGI is not used
- Windows-CGI mapper when Windows-CGI is not used
- Fast-CGI mapper when Fast-CGI is not used
- ISAPI mapper when ISAPI is not used
- Document mapper to 'Logs' when the server logs are not inspected online
- Redirect mapper to 'pi3site' because this is an example and normally unused
- performance optimization may improve throughput and thus lower risk of DoS attacks (tab 'Performance')
- enable options like 'reuse threads' accordingly to administration/configuration guide
- switch off debug log after finishing optimizations
- enable authentication for sensible realms (tab 'Users')
- use NTLM or MD5 authentication method if possible
- basic authentication does not encrypt password information,
only secure in combination with SSL
- realms become effective by referencing them in URI mappings (defined in tab 'Mappings')
- enable SSL for secure communication with server (tab 'SSL')
- generate and use private key/server certificates in responsible way
(no key files in shared folders)
- enable SSL client authentication when mutual authentication is required
- Limit HTTP options (tab 'HTTP')
- disable HTTP verbs POST, PUT and DELETE if unused
- disable options 'Chunks' and 'Ranges' if unused
- check and adjust the list of index pages
- select sufficient, simple type of directory indexing (e.g. 'DOS style HTML index' in tab 'directory indexing')
- configure virtual hosts to separate content owned by different users
(tab 'Virtual hosts by name', 'Virtual host by IP')
- configure alternative TCP/IP interfaces when available, e.g. to separate
remote administration or LAN access to server from internet access (tab 'Interfaces')
- change the server stamp used to identify the server software in the HTTP protocol
(some mimicry could be helpful to confuse an attacker)
- internet.pi3 configuration template as starting point for advanced users
- as starting point for internet configurations
- if required add services accordingly to administration/configuration guide
- take all the advice from the previous topic into consideration
Operation
---------
- backup logfiles in regular intervals
- check error log in regular intervals
- configure a black list for suspicious client IPs:
- keep informed about security exploits in Pi3web and used 3rd party software
(e.g. PHP, openssl, perl, libxml, ...)
--
Your comments and additions are welcome.
regards,
Holger Zimmermann