Content

Secure Redmine Server - Safety Tips for Your Web Application

We bring some advice (including strong recommendations) on how to keep your (Easy) Redmine safe and resilient. Some tips may seem obvious, however, a good checklist should contain everything.

Data security always matters for all types of organizations and software. For a long time, data security is also one of the most discussed business topics. The more advanced technology we use, the higher the level of data and application protection is generally expected and needed. So why underestimate risks if there is an easy solution for your Redmine? Secure your business with Easy Redmine today. Here's how.

 

Start Free Trial
& secure your Redmine today

 

1. Use HTTPS connection

  • Create a self-signed certificate or buy a trusted one. Instruction on how to create a self-signed certificate can be found here.
  • Set up your web-server to hold a secured connection properly. Fully restrict requests from 80 or 8080 ports or set up proper routing of them to a secure port. Detailed instructions for secure Nginx configuration are available directly in the Easy Redmine installation package under doc/INSTALL.
  • In your (Easy) Redmine settings (Administration >> Settings), set up the correct protocol type (HTTPS). It's a very important but often missed point. Please remember that not all Redmine plugins use correct routes from the system. Some of them look only for this specific setting to define what protocol should be used. It is not correct, but it happens. So it is better to be sure the protocol will be always HTTPS.
  • To verify the quality of your SSL configuration, you can use tools such as this one.
  • If there are any images or other data that you take from other sites (for example, logos, image sources), be sure they use HTTPS protocol as well. Otherwise, it can theoretically cause an obscure breach in your system. You may easily check if everything is ok with your site or not. If there are any sources from HTTP, your browser will highlight your protocol with red color and sometimes it can be crossed out. But overall, this last point is mostly about the education and discipline of your users. Some things can not be forced.

2. Check and divide permissions

  • Make sure your application is not running from the root (at least folders public, tmp, files, log). We strongly recommend that the whole application + ruby is installed from a specific user.
  • Make sure you don't have permissions like 777 for any application folder. Optimal permissions are 755 or for some files 644.

3. Keep non-used ports closed

  • Ask your system administrators or hosting providers to close all non-used ports. Open them only in case you need to update the system, ruby or application.

4. Use strong passwords

  • Make sure you don't use the same password for your root server user, root database user, application server user, database application user, and admin or any other user inside your application.
  • All passwords should be different, long enough - at least 15 symbols, containing letters, numbers and special symbols...or simply just long. Don't fall into a state of lethargy and make sure you change passwords at least inside the application at least every 6 months.
  • More about passwords and authentication in Easy Redmine is presented in our past GDPR webinar (below) and the knowledge base.

5. Update your server and application regularly

  • It's very important to keep everything up to date. The world is changing every day. The IT world is changing even quicker.
  • Every day new weaknesses are found and new safety protocols are created. If you use outdated applications - you increase the risk of attacks or scams through your server. When is the last time you updated your RubyGems?

6. Be careful with uploaded files

  • We recommend you to define file extensions that are allowed to be uploaded to your server. You may do it both from your web-server, or from inside (Easy) Redmine (Administration >> Settings >> Files). How to restrict or allow specific file extensions in Nginx you may find here. If you have settings on both at the same time, web-server wins.
  • Another option is to deploy an antivirus to check all uploaded files on the server. One free option is ClamAV.

That's not all...

These tips are the minimum that allows a Redmine admin to sleep peacefully - the application is secure. But naturally, you can add more layers of protection if required (proxy, reverse proxy, VPN, IP filter, etc.).

We can take responsibility for whole server security and implement a number of additional security measures for you at Redmine Private Cloud. If you have any questions, This email address is being protected from spambots. You need JavaScript enabled to view it.. Make your Redmine properly secured thanks to Easy Redmine.

 

Author: Lukáš Beňa, Robert Kováčik

Additional information
Free Trial

Easy Redmine 10 upgrade
Top plugins & features
New & mobile design
Server upgrades
Global cloud

Start Free Trial

Easy Redmine 10 Free Trial

Full-featured, 30 Days, SSL protected, Daily Backups, In your Geo Location

or