Securing Cyphon¶
Disclaimer¶
The Cyphon project is provided as open-source software, and we encourage you to report any security bugs, configuration issues, or comments related to Cyphon, Cyclops, or Cyphondock. We’re extremely thankful for responsible security researchers that report vulnerabilities to us. To make a report, please email us with the full details, including steps to reproduce the issue.
We recommend that you follow security best practices when running Cyphon. Please consult the official documentation of any open source or commercially available products that are used as a component of (or are integrated with) Cyphon, and follow their recommended security practices. This disclaimer also applies to outside APIs, operating systems, or virtualization technologies.
Credentials¶
Cyphon environment file¶
The cyphondock/config/env/cyphon.env
file contains default usernames and passwords for:
- Cyphon
- PostgreSQL
- RabbitMQ
Please change these values to secure your instance.
Cyphon configuration file¶
The cyphondock/config/cyphon/settings/conf.py
file contains default usernames and passwords for:
- PostgreSQL
- RabbitMQ
If you’re not setting these values through environment variables in the Cyphon environment file, you should change the default values in conf.py
.
You should also change the Django SECRET_KEY
to something unique. See the instructions on configuring Django for details.
RSA keys¶
The KEYS_DIR
setting in the Cyphon configuration file specifies the directory in which Django stores RSA keys associated with Passports. Public access to this directory should be denied. Check your cyphondock/config/nginx/nginx.conf
file to confirm this.
Ports¶
Cyphondock’s Docker Compose files for the production environment open the following ports on the host machine:
Port | Protocol | Service |
---|---|---|
80 | TCP (HTTP) | Cyphon - Nginx proxy |
443 | TCP (HTTPS) | Cyphon - Nginx proxy |
5000 | UDP | Logstash |
5044 | TCP | Logstash |
5045 | TCP | Logstash |
5601 | TCP | Kibana - Nginx proxy |
15672 | TCP | RabbitMQ management - Nginx proxy |
Please restrict external access to these ports.
Running Cyphon with SSL through Nginx¶
You may wish to run Cyphon with SSL to secure connections. Cyphondock makes this easy by providing an alternate Nginx configuration file at cyphondock/config/nginx/nginx.conf.ssl
that can be used to get started quickly. Placeholder files for SSL certificates and private keys are also provided. You can choose to use self-signed certificates or use certificates signed by a trusted certificate authority.
Assuming you already have an SSL certificate and private key, copy their contents into the placeholder files provided:
$ cd /opt/cyphon/cyphondock/config/nginx
$ cp /path/to/your/certificate ssl.crt
$ cp /path/to/your/private/key ssl.key
Then, copy the provided nginx.conf.ssl
to be the main Nginx configuration file:
$ cp nginx.conf.ssl nginx.conf
Finally, restart the Nginx Docker container or the entire Docker-Compose:
$ docker-compose restart