Securing Cyphon

Disclaimer

The Cyphon project is provided as open-source software, and we encourage you to report any security bugs, configuration issues, or comments related to Cyphon, Cyclops, or Cyphondock. We’re extremely thankful for responsible security researchers that report vulnerabilities to us. To make a report, please email us with the full details, including steps to reproduce the issue.

We recommend that you follow security best practices when running Cyphon. Please consult the official documentation of any open source or commercially available products that are used as a component of (or are integrated with) Cyphon, and follow their recommended security practices. This disclaimer also applies to outside APIs, operating systems, or virtualization technologies.

Credentials

Cyphon environment file

The cyphondock/config/env/cyphon.env file contains default usernames and passwords for:

  • Cyphon
  • PostgreSQL
  • RabbitMQ

Please change these values to secure your instance.

Cyphon configuration file

The cyphondock/config/cyphon/settings/conf.py file contains default usernames and passwords for:

  • PostgreSQL
  • RabbitMQ

If you’re not setting these values through environment variables in the Cyphon environment file, you should change the default values in conf.py.

You should also change the Django SECRET_KEY to something unique. See the instructions on configuring Django for details.

RSA keys

The KEYS_DIR setting in the Cyphon configuration file specifies the directory in which Django stores RSA keys associated with Passports. Public access to this directory should be denied. Check your cyphondock/config/nginx/nginx.conf file to confirm this.

Ports

Cyphondock’s Docker Compose files for the production environment open the following ports on the host machine:

Port Protocol Service
80 TCP (HTTP) Cyphon - Nginx proxy
443 TCP (HTTPS) Cyphon - Nginx proxy
5000 UDP Logstash
5044 TCP Logstash
5045 TCP Logstash
5601 TCP Kibana - Nginx proxy
15672 TCP RabbitMQ management - Nginx proxy

Please restrict external access to these ports.

Running Cyphon with SSL through Nginx

You may wish to run Cyphon with SSL to secure connections. Cyphondock makes this easy by providing an alternate Nginx configuration file at cyphondock/config/nginx/nginx.conf.ssl that can be used to get started quickly. Placeholder files for SSL certificates and private keys are also provided. You can choose to use self-signed certificates or use certificates signed by a trusted certificate authority.

Assuming you already have an SSL certificate and private key, copy their contents into the placeholder files provided:

$ cd /opt/cyphon/cyphondock/config/nginx
$ cp /path/to/your/certificate ssl.crt
$ cp /path/to/your/private/key ssl.key

Then, copy the provided nginx.conf.ssl to be the main Nginx configuration file:

$ cp nginx.conf.ssl nginx.conf

Finally, restart the Nginx Docker container or the entire Docker-Compose:

$ docker-compose restart