vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-04-29 07:29:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
ntopng/doc/README.security.md
Oskar Fagerfjäll f1d38bac3b
Fix typos in documentation (#4311) 
* Standardize spelling customize in docs

* Standardize spelling categorize in docs

* Standardize spelling behavior in docs

* Standardize spelling visualization in docs

* Standardize spelling Redis in docs

* Standardize spelling ZMQ in docs

* Standardize spelling CPU in docs

* Standardize spelling URL in docs

* Correct typos in docs
2020-08-19 11:51:11 +02:00

144 lines
4.8 KiB
Markdown
Raw Blame History

After a fresh install, ntopng will run using a default, basic
configuration. Such configuration is meant to provide an
up-and-running ntopng but does not try to secure it. Therefore, the
default configuration should only be used for testing purposes in
non-production environments.
Several things are required to secure ntopng and make it
enterprise-proof. Those things include, but are not limited to,
enabling an encrypted web access, restricting the web server access,
and protecting the Redis server used by ntopng as a cache.
Here is the list of things required to secure ntopng.
# Encrypted Web Access
By default, ntopng runs an HTTP server on port 3000. In production, it
is recommended to disable HTTP and only leave HTTPS. To disable HTTP
and enable HTTPS on port 443 the following options suffice:
```
--http-port=0
--https-port=443
```
Enabling HTTPS ntopng requires ntopng to be able to use a certificate
and a private key for the encryption. Generation instruction are
available in [README.SSL](./README.SSL).
# Restrict Web Server Listening Address
ntopng embedded web server listens on any address by default. This
means that anyone who has IP-reachability of the ntopng host can be
served with web contents by the server. That does not imply anyone can
access the ntopng web GUI -- login credentials are required for the
GUI -- but it is never a good idea to leave a remote web server
exposed also to those that should not be entitled to have access to ntopng.
The listening address can be changed from `any` to another custom address
that can be an IP address of an host interface, or just the loopback
address `127.0.0.1`.
Listening address changes are indicated using a couple of ntopng
configuration options, namely `--http-port` for HTTP and
`--https-port` for HTTPS. For example to change the HTTP server
listening address to only `127.0.0.1` and the listening address of the
HTTPS server to `192.168.2.222`, the following options can be used:
```
--http-port=:3000
--https-port=192.168.2.222:3001
```
The listening addresses can easily be verified with `netstat` on Unix.
The any address is indicated with `0.0.0.0`.
This is the `netstat` output when the HTTP and the HTTPS servers are
listening on the `any` addresses.
```
simone@devel:~$ sudo netstat -polenta | grep 300
tcp 0 0 0.0.0.0:3000 0.0.0.0:*
LISTEN 65534 67324991 5480/ntopng off (0.00/0/0)
tcp 0 0 0.0.0.0:3001 0.0.0.0:*
LISTEN 65534 67324992 5480/ntopng off (0.00/0/0)
```
This is the `netstat` output after the changes highlighted in the
example above. The `any` address is no longer listed.
```
simone@devel:~$ sudo netstat -polenta | grep 300
tcp 0 0 127.0.0.1:3000 0.0.0.0:*
LISTEN 65534 67323743 5808/ntopng off (0.00/0/0)
tcp 0 0 192.168.2.222:3001 0.0.0.0:*
LISTEN 65534 67323744 5808/ntopng off (0.00/0/0)
```
# Protected Redis Server Access
## Password-Protected Redis Server
ntopng uses Redis as a cache for DNS names and other values. The Redis
server by default listens only on the loopback address `127.0.0.1` but
it is accessible without passwords.
To secure the Redis server with a password, uncomment the
`requirepass` line of the Redis configuration file and specify a
secure (very long) password here.
```
simone@devel:~/ntopng$ sudo cat /etc/redis/redis.conf | grep requirepass
requirepass verylongredispassword
```
Once the password is set and the Redis server service has been
restarted, the ntopng `--redis` option can be used to specify the
password. To use the `verylongredispassword` in ntopng it suffices to
use the following option:
```
--redis=127.0.0.1:6379:verylongredispassword
```
## Redis Server Access via Local Unix Socket Files
Another way to secure the Redis server is to configure it to only
accept connections via a local Unix socket file, rather than on any
TCP socket.
The relevant part of the Redis configuration to use just a local Unix
socket file is the following:
```
# 0 = Redis will not listen on a TCP socket
port 0
# Create a Unix domain socket to listen on
unixsocket /var/run/redis/redis.sock
```
To tell ntopng to use the Redis Unix socket file the same `--redis`
option can be used as:
```
--redis=/var/run/redis/redis.sock
```
# ntopng User with Limited Privileges
ntopng runs with user `nobody` by default. That user is meant to
represent the user with the least permissions on the system.
It is recommended to create another user `ntopng` to run ntopng with
so that even if there are other daemons running as `nobody`, none of
them will ever be able to access files and data created by ntopng.
To run ntopng with another user just use option `--user`. For example
to run ntopng with user `ntopng` specify:
```
--user=ntopng
```
Reference in a new issue View git blame Copy permalink