Versions Compared

Old Version 8

changes.mady.by.user Gurpreet Luthra

Saved on

compared with

New Version Current

changes.mady.by.user Gurpreet Luthra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tip

Please subscribe to Bahmni slack #security channel for discussions around this topic. (Link)

Table of Contents

Firewall

To keep the Bahmni CentOS server secure, it is recommended that you setup a firewall which blocks access to ALL incoming traffic, except the following:

  1. SSH Port (if you want to enable remote SSH)

  2. HTTP/HTTPs Ports of Bahmni, so that one can access Bahmni via browser / tablet device.

Please refer to this document (and script) to understand how to possibly setup iptable firewall on your Centos machine. iptable is the default firewall on CentOS Linux.  

...

Please read the following document to understand how can you generate SSL certificates for HTTPs connections in Bahmni. This will ensure your connections over Bahmni are encrypted.

  1. Configure Valid SSL Certificates

SSH Security

  1. It is recommended to disable password based ssh (/etc/ssh/sshd_config file), and instead always use key based authentication.

  2. Disable access to all other users besides the ones you want to allow ssh to (DenyUsers configuration key)

  3. For more good tips please read: 

    1. http://www.tecmint.com/5-best-practices-to-secure-and-protect-ssh-server/

    2. https://www.howtoforge.com/tutorial/openssh-security-best-practices/

Change Default Passwords

  1. It is strongly recommended to change default user passwords for better security of your Bahmni server. Please refer to the list of configurable installation variables here.

...

  1. Also see this discussion. (esp if you are running Bahmni on CentOS)

  2. See this page Changing Default Credentials of Bahmni Docker

  3. See this: Bahmni 101 Configuration for Roles/Privileges (so that users don’t get access beyond what they should see) - in our Security Guide.

Run a SCAP agent to check for Misconfiguration / Vulnerabilities / Updates

  1. You can run a SCAP compliance check software like OpenSCAP, which follows the industry recognized NIST standard to verify the integrity and security of your Linux server machines. Read more about this on the following Wiki page: Security Compliance Testing of Bahmni Servers using OpenSCAP

Further Reading For Securing the Server

  1. Please read this document to understand other security measures you can take for your Bahmni server: 

    1. https://www.digitalocean.com/community/tutorials/7-security-measures-to-protect-your-servers.

    2. https://www.digitalocean.com/community/tutorials/recommended-security-measures-to-protect-your-servers

  2. You can also consider installing intrusion detection softwares like Fail2Ban, which monitor intrusion attempts to your server, and block that traffic temporarily.

  3. HackerNews discussion on securing Linux server. Read here.