How to harden Yunohost security? / Comment renforcer la sécurité de Yunohost?

,

:uk: English: :uk: ( Le français est ci-dessous )
So, I had some “fun” issues with someone getting into my home PC and getting my bank card numbers multiple times. I don’t have conclusive evidence, but I suspect that it was through my public facing, home hosted instance of Yunohost, although it may only be because the router firewall was opened to allow access to my Yunohost apps.

My server is offline at the moment, but I’d like to get it going again, just with better security this time. So what can I do to limit access to it? I have Nextcloud and Synapse installed and it’s basically just me and about 4 family members using it via web and Nextcloud/Matrix clients. Here’s what I’m thinking:

  1. Use Lets Encrypt for SSL on everything I can.
  2. Block all ports but 443 and those used by Matrix/Synapse on the router and on Yunohost via Iptables.
  3. Whitelist IP ranges used by the states my family lives in. Blacklist everything else.
  4. Lock SSH to only using the private key on my machine.
  5. Put the Yunohost server on a separate subnet to my home devices (is this possible with Yunohost being a VM on my main machine?)
  6. Have updates automatically applied with a backup done automatically first. (is this possible?)

So how secure would this setup be? What else could be done to harden it?
Thanks everyone!

:fr: French :fr:
Cette traduction est effectuée automatiquement par Deepl.com. Mes excuses pour toute formulation bizarre !

J’ai eu quelques problèmes “amusants” avec quelqu’un qui s’est introduit dans mon ordinateur personnel et a obtenu mes numéros de carte bancaire à plusieurs reprises. Je n’ai pas de preuve concluante, mais je soupçonne que cela s’est produit par le biais de mon instance de Yunohost hébergée à domicile et destinée au public, bien que cela puisse être uniquement dû au fait que le pare-feu du routeur a été ouvert pour permettre l’accès à mes applications Yunohost.

Mon serveur est hors ligne pour le moment, mais j’aimerais le relancer, avec une meilleure sécurité cette fois. Que puis-je faire pour en limiter l’accès ? J’ai installé Nextcloud et Synapse et il n’y a que moi et environ 4 membres de ma famille qui l’utilisent via le web et les clients Nextcloud/Matrix. Voici ce que je pense :

  1. Utiliser Lets Encrypt pour SSL sur tout ce que je peux.
  2. Bloquer tous les ports sauf 443 et ceux utilisés par Matrix/Synapse sur le routeur et sur Yunohost via Iptables.
  3. Mettre sur liste blanche les plages d’adresses IP utilisées par les états où vit ma famille. Mettre tout le reste sur liste noire.
  4. Verrouiller SSH pour n’utiliser que la clé privée de ma machine.
  5. Mettre le serveur Yunohost sur un sous-réseau séparé de mes appareils domestiques (est-ce possible avec Yunohost qui est une VM sur ma machine principale ?)
  6. Avoir des mises à jour automatiquement appliquées avec une sauvegarde faite automatiquement d’abord. (est-ce possible ?)

Dans quelle mesure cette configuration serait-elle sûre ? Que pourrait-on faire d’autre pour la renforcer ?
Merci à tous !

2 Likes

Hi,

  1. Only needed ports are opened (depends of the apps you installed)
  2. Can be done (ssh, probably on nginx too) but beware of dynamic IP. Note : iirc, yunohost has a new ssh secured politics since last versions. I’m using the old (dirty) combo AllowUsers + login only with key.
  3. I do it. You can add multiple keys if you access your server with multiple machines.
  4. Install the unattended-upgrades apps.

I see ljf currently replying, maybe he can go way further than me :o

1 Like

With or without firewall open on your router, one of your computer could have been infected by a virus. Virus can send packet to the internet cause the firewall router is only refusing input traffic not outgoing… That’s the default router settings (at least in France), it’s not related to yunohost.

Some advices:

  • If you have one of the most popular OS on your network (windows, macos, android, iOS) you should consider searching for virus on those machine first by doing an active scan with (windows defender for example).
  • Never ignore HTTPS warning for your bank.
  • Be sure all people in your network have good practices to detect suspicious email, messages on social network, to install softwares…
  • Put password on your machine, be sure you have no SSH server (or equivalent) on it
  • Use ublock origin on firefox (avoid a lot of attacks by link).
  • Reset your router, change the password on the router, change the WPA key of your WIFI.
  • Think about ALL connected devices (smartphone, tablets, printer, fridge, domotic, clock…)
  • Put stickers on camera
  • No bluetooth keyboard
  • Check all of those machine have the good date, cause it could be a way to avoid a certificate warning (if an old private key of a bank/CA is in the wild).
  • Check your browser are authentic browser
  • Check browser certificate list has not been manipulated.
  • Reinstall your machine properly if you can. Especially your yunohost if you think it could be that.

If you have a configurable router you could create vlan (with big tech efforts) and separate network between your server and other equipement.
You could also used a dedicated app firewall, able to do things better than just allow a port in a way or another.

3 Likes

About YunoHost,

  • Put a good password (at least 12 chars), even for yunohost user.
  • Install only apps you need, deinstall unused apps.
  • Upgrade regularly
  • Store your backups in a secure place where an attackers can’t open the files…

If you run yunohost on a vm, be sure your virtualbox or equivalent is up to date, and the host machine too. Consider to use an arm card or other old computer to separate your desktop computer from the server.

1 Like

These are all good security tips, pretty much all of which I follow already. I only use Linux machines with some pretty tight privacy settings (ublock, no SSH access, strict tracking protection, password manager, openWRT router). I’ve reinstalled everything from the PC OS, to the mobo firmware.

I know security from a user perspective pretty well. It’s mainly server security, and especially Yunohost security specifically, that I’m new to.

1 Like

Is it possible to get the list of apps you had on this server ?

You could also follow this: Security | Yunohost Documentation

But be sure to correctly upgrade you ssh config if yunohost do an update on it. (a warning appears in diagnosis and during upgrade)

Finally, you could try to contribute on apps you use to improve security like add/improve fail2ban filters.

2 Likes

I have separate passwords that are both long strings of random characters for all users and services.

Appwise, I only have Nextcloud and Synapse. Nothing else.

Re upgrades, it seems using the unattended-upgrades package should keep things up to date on the server and my host machine. I just want to find a way to get Yunohost to run it’s backup procedure before updating itself or any app. Still figuring this out, then I can work on getting those backups moved offsite.

I used to host on an old X86 machine, but moved to a VM just because it was so very, very easy to do differential backups of the whole system. I’d love to get to the point where it was that easy with a Raspberry pi / RockPro or similar. How much more secure is it to host on a separate machine vs a virtual machine?

Nice! I hadn’t seen this. It mentions diasbling the yunohost api. I do most things via commandline directly in my Yunohost VM, but occasionally for convenience I’ll log in to the web admin. Would diabling the api also disable using the webadmin?

I wish. I guess I could throw some money at them. Sadly I don’t know any code, so not sure how much use I’d be here…

At the time of the intrusion, this server had Nextcloud (with default apps + collabora+ recipe book), phpmyadmin and WriteAs. None of their data was visibly altered. Someone just kept getting my bank card number over and over even after reinstalling every OS on every device on the network and getting my card numbers changed repeatedly. They didn’t seem to have my bank login details though as no money was transferred out. They just made purchases with my card, even after replacing it multiple times.

The current server I’m setting up just has Nextcloud (same apps) and Synapse.

By default every update will trigger a pre-update backup.

1 Like

Bonjour,

Je trouve qu’il nous manque également quelques informations complémentaires :

  • quelle est l’architecture de ton réseau ? Je dis cela car si ton Yunohost se trouve dans une DMZ (même créée par ta Box), ton serveur est déjà bien isolé de ton réseau privé…etc
  • qu’est-ce qui te fait penser que c’est ton Yunohost qui est la cause du problème ?
  • en quoi la compromission de ton Yunohost pourrait-elle impacter tes comptes bancaires ? Car j’imagine que ton Nextcloud, vu qu’il est d’accès public, ne contient aucune information personnelle critique (pas de mot de passe, pas de document d’identité,…)

En tout état de cause, rien dans la description de ton problème ne me ferait penser à une compromission de ton Yunohost. Et d’expérience, je penserais davantage à un problème de sécurité d’une machine de travail (un bon vieux Windows mal configuré, utilisé avec les droits admins au quotidien, ou sur lequel on a installé un soft aux sources pas très fiables, ou un clic sur un mauvais lien,…

A mon sens, il conviendrait de trouver les traces de la compromission avant le reste, puis de réinstaller proprement les machines impactées.

Sango

Bonjour,
Une source bien connue des francophones et toujours intéressante à (re)lire:

Bonne lecture :wink:

Have you think it could also be a physical or virtual shop where you buy things with credit card ? Now there are a lot of camera everywhere, and some website are not so secure…

Could it be possible your credit card is in a room and photos/videos has been posted several time on public social network ?

Do you store your credit card number in your browser or in your password manager? is it synchronized with nextcloud ?

Have you the same password on your yunohost and on other website/system ?

In this post we have no evidence it’s a yunohost issues, it could be that or other kind of things. However, you seem almost sure the issue come from your yunohost (but without explain why). I suggest you to stop your yunohost instance during a while to see if it’s happen without.

You could also try to check logs, because if someone log in your server to attack you on your network, this person could make some trace. Logs are in /var/log/auth.log you could also watch for nginx logs.

Is it a yunohost apps ? How is it installed ? I am searching for the package of this app to analize it, but i don’t see this package in the list

1 Like

That was my first thought. I immediately reinstalled the OS and firmware on every device on my network except Yunohost. Then I had the card replaced, and stopped using it anywhere but on my home Linux PC (same LAN as Yunohost). Within a few days I was getting fraudulent charges on the new card number. This happened 3 times in a row. I have unique, strong passwords on all accounts and don’t have them saved in any password manager. I had nothing but photos, contacts and podcasts on Nextcloud.

I’m not actually convinced that Yunohost was the source of the intrusion at all. Right now I’m just looking to harden each part of the network stack, including Yunohost, which is why I asked here. That said, I already thought of and eliminated each issue you mentioned above after the first time I had an issue, and yet the problem remained. I understand that security is complex though and there are many possible vectors for entry.

You could also try to check logs, because if someone log in your server to attack you on your network, this person could make some trace. Logs are in /var/log/auth.log you could also watch for nginx logs.

Good tip. Thanks!

Recipe book. Is it a yunohost apps ?

It’s a Nextcloud app, installed via Nextcloud, not through Yunohost. That said, I don’t think this is the issue, as I didn’t have that installed the first couple of times I had a problem.