From 7588d745fbd90a6b570151c10d508ba96269d7a4 Mon Sep 17 00:00:00 2001 From: Sadiq Saif Date: Sun, 8 Oct 2017 09:20:56 -0400 Subject: [PATCH] Add Security Guide (#415) --- Running-Mastodon/Security-Guide | 67 +++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 Running-Mastodon/Security-Guide diff --git a/Running-Mastodon/Security-Guide b/Running-Mastodon/Security-Guide new file mode 100644 index 00000000..fab3c2b7 --- /dev/null +++ b/Running-Mastodon/Security-Guide @@ -0,0 +1,67 @@ +# Security Guide + +This guide is meant to be a number of security measures to the Mastodon server and various accounts +that may be related to said server. + +It is not meant to cover every possible threat model. Assess your own risks and act +accordingly. + +## The Mastodon server + +### Public key authentication + +Use public key authentication with SSH. Read this excellent [guide](https://www.linode.com/docs/security/use-public-key-authentication-with-ssh). +Once you have set up public key authentication and have tested it, disable password authentication. +See this [guide](https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#Disable_Password_Authentication) +on how to disable password authentication for the OpenSSH server. + +### Firewall rules + +You may want to set up some firewall rules. A Mastodon server will require public incoming +access to the following ports: 22 (SSH), 80 (HTTP), 443 (HTTPS). Here are a couple [example iptables rulesets](https://github.com/QueuingKoala/netfilter-samples/tree/master/rules-host) +that you can modify according to your needs. It is recommended to have access to your +server provider's out-of-band access method while adding any ruleset +in case you lock yourself out from SSH. + +The rulesets mentioned above can be imported like so: +```sh +iptables-restore < iptables.rules +ip6tables-restore < ip6tables.rules +``` + +## Securing various related accounts + +### Mastodon admin account(s) + +In the course of running your Mastodon server you will need an admin account for performing +tasks such as moderation. There may also be multiple admin accounts if you have more than one +admin. + +All these accounts will need to be secured due to the level of access they have. + +This is how you do that: +* Use randomly generated strong password(s), preferably with the use of a password manager +* Enable two-factor authentication for all admin account(s). This will ensure that even in +the case of a password compromise the admin account(s) themselves are not compromised. + +Setting up two-factor authentication in Mastodon is fairly simple: +Settings -> Two-factor Authentication + +### Server provider client area account + +Access to your server provider's client area account is very lucrative to any potential +attacker as such accounts usually provide access to various root password reset methods and +out-of-band access along with the ability to cancel your server service and wipe all data. + +Therefore it is important that such an account be secured with all methods available. + +This how you do that: +* Use randomly generated strong password(s), preferably with the use of a password manager +* Enable two-factor authentication. This will ensure that even in +the case of a password compromise the account itself is not compromised. + +### A note about two-factor authentication + +Please make sure to store the recovery code(s) in a secure place that is backed up (try a +offline password manager). This will protect you against loss of the second factor (usually a +smartphone).