Securing and Protecting the Bahmni Server

It is very important to take your server security seriously. Please ensure you setup adequate security controls for your Bahmni server, including firewalls, strong passwords, key based ssh access, https certificates, etc.

Bahmni server is hosting personal data & medical data for citizens & therefore must be properly protected to ensure privacy & security. Your country will likely also have laws & compliance requirements like HIPPA, GDPR, CCPA, PDP, etc – which need to be adhered for storing citizen data. Unlike paper based mechanisms, data from computer systems can be hacked, copied, modified or destroyed very quickly by malicious actors – and it is imperative to take server security very seriously. Please see this list of EHR standards.

A collection of recommended security settings for CentOS V7 server can be found here (excel, word

Firewall

To keep the Bahmni CentOS server secure, it is recommended that you setup a firewall which blocks access to ALL incoming traffic, except the following:

  1. SSH Port (if you want to enable remote SSH)

  2. HTTP/HTTPs Ports of Bahmni, so that one can access Bahmni via browser / tablet device.

Please refer to this document (and script) to understand how to possibly setup iptable firewall on your Centos machine. iptable is the default firewall on CentOS Linux.  

SSL Certificates

Please read the following document to understand how can you generate SSL certificates for HTTPs connections in Bahmni. This will ensure your connections over Bahmni are encrypted.

  1. Configure Valid SSL Certificates

SSH Security

  1. It is recommended to disable password based ssh (/etc/ssh/sshd_config file), and instead always use key based authentication.

  2. Disable access to all other users besides the ones you want to allow ssh to (DenyUsers configuration key)

  3. For more good tips please read: 

    1. http://www.tecmint.com/5-best-practices-to-secure-and-protect-ssh-server/

    2. https://www.howtoforge.com/tutorial/openssh-security-best-practices/

Change Default Passwords

  1. It is strongly recommended to change default user passwords for better security of your Bahmni server. Please refer to the list of configurable installation variables here. Also see this discussion. (esp if you are running Bahmni on CentOS)

  2. See this page

  3. See this: Bahmni 101 Configuration for Roles/Privileges (so that users don’t get access beyond what they should see) - in our Security Guide.

Run a SCAP agent to check for Misconfiguration / Vulnerabilities / Updates

  1. You can run a SCAP compliance check software like OpenSCAP, which follows the industry recognized NIST standard to verify the integrity and security of your Linux server machines. Read more about this on the following Wiki page:

Further Reading For Securing the Server

  1. Please read this document to understand other security measures you can take for your Bahmni server: 

    1. https://www.digitalocean.com/community/tutorials/7-security-measures-to-protect-your-servers.

    2. https://www.digitalocean.com/community/tutorials/recommended-security-measures-to-protect-your-servers

  2. You can also consider installing intrusion detection softwares like Fail2Ban, which monitor intrusion attempts to your server, and block that traffic temporarily.

  3. HackerNews discussion on securing Linux server. Read here.

The Bahmni documentation is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)