Skip to content
This repository has been archived by the owner on Apr 17, 2019. It is now read-only.

Documentation for Iroha installation security tips #2129

Merged
merged 4 commits into from
Mar 11, 2019
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/source/guides/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,4 @@ Guides and how-tos
libraries.rst
dependencies.rst
k8s-deployment.rst
sec-install.rst
63 changes: 63 additions & 0 deletions docs/source/guides/sec-install.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
Iroha installation security tips
================================
This guide is intended to secure Iroha installation. Most of the steps from this guide may seem obvious but it helps to avoid possible security problems in the future.

Physical security
^^^^^^^^^^^^^^^^^
In case the servers are located locally (physically accessible), a number of security measures have to be applied. Skip these steps if cloud hosting is used.

Establish organisational policy and/or access control system such that only authorized personnel has access to the server room.
Next, set BIOS/firmware password and configure boot order to prevent unauthorized booting from alternate media.
Make sure the bootloader is password protected if there is such a functionality. Also, it is good to have a CCTV monitoring in place.

Deployment
^^^^^^^^^^
First, verify that official repository is used for downloading `source code <https://github.com/hyperledger/iroha>`__ and `Docker images <https://hub.docker.com/r/hyperledger/iroha>`__.
Change any default passwords that are used during installation, e.g., password for connecting to postgres.
Iroha repository contains examples of private and public keys - never use it in production.
Moreover, verify that new keypairs are generated in a safe environment and only administrator has access to those keypairs (or at least minimise the number of people).
After deploying keys to Iroha peers delete private keys from the host that was used to perform deployment, i.e. private keys should reside only inside Iroha peers.
Create an encrypted backup of private keys before deleting them and limit the access to it.

Network configuration
^^^^^^^^^^^^^^^^^^^^^
Iroha listens on ports 50051 and 10001.
Firewall settings must allow incoming/outcoming connections to/from these ports.
baydarich marked this conversation as resolved.
Show resolved Hide resolved
If possible, disable or remove any other network services with listening ports (FTP, DNS, LDAP, SMB, DHCP, NFS, SNMP, etc).
Ideally, Iroha should be as much isolated as possible in terms of networking.

Currently, there is no traffic encryption in Iroha, we strongly recommend using VPN or Calico for setting up Docker overlay network, i.e. any mechanism that allows encrypting communication between peers.
Docker swarm encrypts communications by default, but remember to open necessary ports in the firewall configuration.
In case VPN is used, verify that VPN key is unavailable to other users.

If SSH is used, disable root login.
Apart from that, disable password authentication and use only keys.
It might be helpful to set up SSH log level to INFO as well.

If IPv6 is not used, it might be a good idea to disable it.

Updates
^^^^^^^
Install latest operating system security patches and update it regularly.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the latest

If Iroha is running in Docker containers, update Docker regularly.
While being optional, it is considered a good practice to test updates on a separate server before installing to production.

Logging and monitoring
^^^^^^^^^^^^^^^^^^^^^^
- Collect and ship logs to a dedicated machine using an agent (e.g., Filebeat).
- Collect logs from all Iroha peers in a central point (e.g., Logstash).
- Enable docker healthcheck.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now we do not have a mechanism to identify the health of a running container. There are custom implementations that use gRPC to test if Iroha is ready to accept connections (e.g., https://github.com/d3ledger/notary/blob/7b1796472538c33817ebfea67f436221285ebc7d/docker/grpc-healthcheck.dockerfile) but this is not very reliable indicator.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done - healthcheck mentioning is deleted.

- Transfer docker healthcheck status to a monitoring system (e.g., Prometheus).
- Transfer logging and monitoring information via an encrypted channel (e.g., https).
- Set up an authentication mechanism to prevent third parties from accessing logs.
- Set up an authentication mechanism to prevent third parties from submitting logs.
- Log all administrator access.

OS hardening
^^^^^^^^^^^^
The following steps assume Docker is used for running Iroha.

- Enable and configure Docker Content Trust.
- Allow only trusted users to control Docker daemon.
- Set up a limit for Docker container resources.