Hardening

The FIT Server is designed and built with security in mind. For example, the libraries supplied by Sevenval are compiled with only the functionality actually required and the default settings have been chosen carefully. However, we’d like to give you some hints about how to further improve the security of your FIT Server.

System

On a production system, you should only operate the services that are essential. These include services for remote administration such as sshd, if appropriate, services for backup, monitoring, and automatic updates. Deactivate and stop all unnecessary services.

Reduce the number of installed packages on a production system to a minimum. Uninstall all applications that are not required for server operation, especially graphical applications such as X11 and desktop environments, including the accompanying tools and libraries. Development tools like debuggers are useful only in exceptional cases and do not need to be installed permanently.

Keep your system up to date. Install all security updates as they become available from your Linux distributor. Also install all updated packages and security related extensions that Sevenval releases for the FIT Server (see Updating).

Limits

The maximum memory used by the processes of the FIT Server needs to be limited to the available memory, to prevent overloading the system by a large number of incoming requests or by timeouts due to failures of a source. This requires that the maximum number of processes and threads of the Apache Web server and the maximum number of PHP-FPM processes are suitably adjusted. Ensure that enough space is set aside for the operating system, other server processes and the file system buffers.

Both memory usage and CPU consumption also depend on the size and type of content that the FIT Server processes. The following relevant limits can be configured in fit.ini:

If no limits are set, or the values do not match the available memory, the system may become unstable and at a higher load may cause an outage.

Request ACL

For the security of the system, it is crucial to limit access to backend or sources servers. This may be configured for each individual site and in /opt/sevenval/fit14/conf/acl.xml.

We recommend setting a system-wide blacklist that forbids any unnecessary access to servers inside the data center that may be accessible through the firewall. This may include localhost, sibling servers of the FIT cluster, log servers, monitoring systems, load balancer status pages or other application servers within the DMZ that FIT does not needed to load content from.

Proxy servers, however, must still be allowed.

See ACLs for more information.

Built-in Request Blacklist

The request system will deny requests matching any of the following criteria, without regard to any manually configured entries in the access control lists:

  • any protocols other than HTTP and HTTPS
  • decimal IP addresses (e.g. 2130706433 for 127.0.0.1)
  • FIT_STATUS_URL

TLS

When the FIT Engine receives an incoming HTTP request from a client, the engine usually passes it on to the source via HTTP. To secure this connection between the FIT Engine and the source, HTTPS can be supplemented, if necessary, by HTTP authentication or a SSL client certificate.

The communication between the client and the FIT Server can be secured by HTTPS as well. Since some mobile devices reject self-signed certificates, a trusted SSL certificate should be purchased and used.

Theoretically, client certificates could be used between the client and the FIT Server, if only a closed user group is to access the site. In practice, however, the installation of certificates on devices, if possible at all, is often rather cumbersome.

Unlike most HTTP proxies, SSL connections are terminated by the FIT Engine or the load balancer so that the requests can be processed.

Debugging

If you have to debug one of your sites in production operation, limit debugging access to specific IP addresses (FIT_DEBUG_LOGGING_WHITELIST). If this is not possible, for example, due to dynamic address allocation, use HTTP authentication with username and password (FIT_DEBUG_AUTH_USER and FIT_DEBUG_AUTH_PASSWORD). Do not permit unrestricted debugging. Disable the debugging functions when you no longer need them.

Tools

The heartbeat script /test.fit, as well as the status reports provided by the Apache module mod_status at /ServerStatus and by PHP-FPM at /FPMStatus and /FPMAlive may display potentially sensitive information. We recommend restricting access to this information using the example configuration files conf/include.local/test_fit.conf.example and conf/include.global/status.conf.example.

System Users

The FIT Server assigns all its files to two different system users:

  • fit (group membership fit and fit-data)
  • fit-data (group membership fit-data only)

The user fit is the owner of all files under /opt/sevenval/fit14/. That includes all the shipped files and the configuration files produced by fitadmin config generate. The Web server runs with the privileges of the second user, fit-data. Therefore, all files written during operation located in the directories /var/lib/fit14/, /var/log/fit14/ and /var/cache/fit14/ belong to fit-data.

If you haven not configured any virtual hosts with a port below 1024, such as port 80 or 443, you should start the Web server without root privileges. For example, you can specify any non-privileged user of the fit-data group.