Used Zammad installation source: (source, package, …) Ubuntu via DEB
Operating system: Ubuntu 18.04
Browser + version:
Hello,
I’m a complete newbie with Zammad and I’m not very good with servers and Linux operating systems. Please excuse me if my questions are too “beginnerish”.
Here my first question : Is the step “Optional settings” -> HTTP Basic auth necessary ? If so, when and why ?
Then I enabled SSL according to this file (and the instructions in it) and used this .conf file.
Zammad should be accessible from outside via a URL.
Now the second question is: Have I done all the security things I need to make sure that Zammad is reachable from the outside with the above mentioned installation ?
And my last question :
Which updates should I run regularly (how often) to keep the system secure?
Hi @patrick well the first question is about the conection http by default. well for security reason is very import use https for traffic encrypt, also they say how can create a certificate free with letsencrypt this is very good and important.
The type of access is by your desicion if only your agents have access to the system in lan network then the services not be public but if your system is accesible for agent and customers them the services have public in internet, yet this with protection of firewall and others devices.
In my case Zammad, Elastic and Postgres are running on the same Linux server. The traffic between zammad <-> Elastic <-> Postgres is only “internal”. Is it also necessary to switch to SSL ?
From outside only port 443 is open for https. All other incoming ports are not accessible.
Unfortunately I do not know my way around that well.
If I install Zammad via DEB, will all security related topics be activated ?
I assume that SSL is already active.
(When I open postgresql.conf, ssl = on, also certificates are already created. In pg_hba.conf i think only internal traffic is allowed
host all all ::1/128
local replication all
host replication all 127.0.0.1/32
host replication all ::1/128 )
Hi @patrick dont worry for this exist forums as this, well all services have configurations by defaults and this is very vulnerable; if you need security for a services as zammad postfix iis and others services, you need have know about admin network, this is very import cause many services need hardening in security on the configuration, you can configure the base but if you need security in deep you will need a specialist and devices of security as firewall, webcontrol and endpoint protection.
For the example as you say the ssl is on but this certificates have a encryptation standar, secure for internal service but very insecure if this service is public on internet. When I open postgresql.conf, ssl = on, also certificates are already created. In pg_hba.conf i think only internal traffic is allowed
I hope clarifyed your questions and if you have more can tell me.
Update:
Hola, Klaus,
gracias por sus comentarios.
En mi caso, Zammad, Elastic y Postgres se ejecutan en el mismo servidor Linux. El tráfico entre zammad ↔ Elastic ↔ Postgres es solo “interno”. ¿También es necesario cambiar a SSL? Desde el exterior, solo el puerto 443 está abierto para https. Todos los demás puertos entrantes no son accesibles.
I didn’t see this, yes is ok that postgresql have ssl internal and also is ok that only you have a https (443/tcp) enable in your firewall, here all is ok but dont forget that your certificate ssl must have a signature of some entity (comodo, verising, sysmantec, lettsencypt, etc) for security reasons and remenber the security is also internal as external.
Of course, security is more about hardening tomcat, apache, nginx; Apart from the encryption as you comment, it is also to hide information from the service such as banner grabbing among other techniques.