zelo72
/
documentation
mirror of https://github.com/mastodon/documentation
1
0
Fork 0
Code Issues 6 Releases Wiki Activity
documentation/Running-Mastodon/Security-Guide.md

2.9 KiB
Raw Permalink Blame History

Security Guide

This guide is meant to be a number of security measures to the Mastodon server and various accounts that may be related to said server.

It is not meant to cover every possible threat model. Assess your own risks and act accordingly.

The Mastodon server

Public key authentication

Use public key authentication with SSH. Read this excellent guide. Once you have set up public key authentication and have tested it, disable password authentication. See this guide on how to disable password authentication for the OpenSSH server.

Firewall rules

You may want to set up some firewall rules. A Mastodon server will require public incoming access to the following ports: 22 (SSH), 80 (HTTP), 443 (HTTPS). Here are a couple example iptables rulesets that you can modify according to your needs. It is recommended to have access to your server provider's out-of-band access method while adding any ruleset in case you lock yourself out from SSH.

The rulesets mentioned above can be imported like so:

iptables-restore < iptables.rules
ip6tables-restore < ip6tables.rules

Securing various related accounts

Mastodon admin account(s)

In the course of running your Mastodon server you will need an admin account for performing tasks such as moderation. There may also be multiple admin accounts if you have more than one admin.

All these accounts will need to be secured due to the level of access they have.

This is how you do that:

  • Use randomly generated strong password(s), preferably with the use of a password manager
  • Enable two-factor authentication for all admin account(s). This will ensure that even in the case of a password compromise the admin account(s) themselves are not compromised.

Setting up two-factor authentication in Mastodon is fairly simple: Settings -> Two-factor Authentication

Server provider client area account

Access to your server provider's client area account is very lucrative to any potential attacker as such accounts usually provide access to various root password reset methods and out-of-band access along with the ability to cancel your server service and wipe all data.

Therefore it is important that such an account be secured with all methods available.

This how you do that:

  • Use randomly generated strong password(s), preferably with the use of a password manager
  • Enable two-factor authentication. This will ensure that even in the case of a password compromise the account itself is not compromised.

A note about two-factor authentication

Please make sure to store the recovery code(s) in a secure place that is backed up (try a offline password manager). This will protect you against loss of the second factor (usually a smartphone).