How to keep your Redmine server secure
0. Introduction
In this article you will find some advices (including strong recommendations) how to keep your (Easy) Redmine safe and resilient. Some tips may seem obvious, but a good checklist should contain everything.
1. Use https connection
- create self-signed certificate or buy a trusted one. Instruction how to create self-signed certificate can be found here - https://devcenter.heroku.com/articles/ssl-certificate-self
- set up your web-server to hold secured connection properly. Fully restrict requests from 80 or 8080 ports or set up proper routing of them to secured port. Detailed instructions for secure nginx configuration are available directly in Easy Redmine installation package under doc/INSTALL.
- in your (Easy) Redmine settings (Administration >> Settings) set up correct protocol type (HTTPS). It's a very important but often missed point. Please remember that not all Redmine plugins use correct routes from system. Some of them look only for this specific setting to define what protocol should be used. It is not correct, but it happens. So it is better to be sure protocol will be always https.
- to verify quality of your SSL configuration, you can use tools such as https://www.ssllabs.com/ssltest/
- if there are any images or other data that you take from other sites (for example, logos, image sources), be sure they use https protocol as well. Otherwise it can theoretically cause an obscure breach in your system. You may easily check if everything is ok with your site or not. If there are any sources from http, your browser will highlight your protocol with red color and sometimes it can be crossed out. But overall, this last point is mostly about education and discipline of your users. Some things can not be forced.
2. Check and divide permissions
- make sure your application is not running from root (at least folders public, tmp, files, log). We strongly recommend that the whole application + ruby is installed from specific user.
- make sure you don't have permissions like 777 for any application folder. Optimal permissions are 755, or for some files 644.
3. Keep non-used ports closed
Ask your system administrators or hosting providers to close all non-used ports. Open them only in case you need to update the system, ruby or application.
4. Use strong passwords
And make sure you don't use the same password for your root server user, root database user, application server user, database application user and admin or any other user inside your application. All passwords should be different, long enough - at least 15 symbols, containing letters, numbers and special symbols...or simply just long (https://xkcd.com/936/). Don't fall into state of lethargy and make sure you change passwords at least inside application at least every 6 months.
5. Update your server and application regulary
It's very important to keep everything up to date. The world is changing every day. The IT world is changing even quicker. Every day new weaknesses are found and new safety protocols are created. If you use outdated applications - you increase the risk of attacks or scam through your server. When is the last time you updated your rubygems?
6. Be careful with uploaded files
We recommend you to define file extentions that are allowed to be uploaded to your server. You may do it both from your web-server, or from inside (Easy) Redmine (Adminsitration >> Settings >> Files). How to restrict or allow specific file extensions in nginx you may find here - https://www.ruby-forum.com/t/only-allow-certain-file-extensions/161296/3. If you have settings on both at the same time, web-server wins.
Another option is to deploy an antivirus to check all uploaded files on the server. One free option is ClamAV.
That's not all...
These tips are the minimum that allows a Redmine admin to sleep peacfully - the application is secure. But naturally, you can add more layers of protection if required (proxy, reverse proxy, VPN, IP filter, etc.)