Securing and Protecting the Bahmni Server

It is very important to take your server security seriously. Please ensure you setup adequate security controls for your Bahmni server, including firewalls, strong passwords, key based ssh access, https certificates, etc.

Bahmni server is hosting personal data & medical data for citizens & therefore must be properly protected to ensure privacy & security. Your country will likely also have laws & compliance requirements like HIPPA, GDPR, CCPA, PDP, etc – which need to be adhered for storing citizen data. Unlike paper based mechanisms, data from computer systems can be hacked, copied, modified or destroyed very quickly by malicious actors – and it is imperative to take server security very seriously.

A collection of recommended security settings for CentOS V7 server can be found here (excel, word

Also see this page for subscribing to security notifications from Bahmni https://bahmni.atlassian.net/wiki/spaces/BAH/pages/884277257

Firewall

To keep the Bahmni CentOS server secure, it is recommended that you setup a firewall which blocks access to ALL incoming traffic, except the following:

  1. SSH Port (if you want to enable remote SSH)

  2. HTTP/HTTPs Ports of Bahmni, so that one can access Bahmni via browser / tablet device.

Please refer to this document (and script) to understand how to possibly setup iptable firewall on your Centos machine. iptable is the default firewall on CentOS Linux.  

SSL Certificates

Please read the following document to understand how can you generate SSL certificates for HTTPs connections in Bahmni. This will ensure your connections over Bahmni are encrypted.

  1. Configure Valid SSL Certificates

SSH Security

  1. It is recommended to disable password based ssh (/etc/ssh/sshd_config file), and instead always use key based authentication.

  2. Disable access to all other users besides the ones you want to allow ssh to (DenyUsers configuration key)

  3. For more good tips please read: 

    1. http://www.tecmint.com/5-best-practices-to-secure-and-protect-ssh-server/

    2. https://www.howtoforge.com/tutorial/openssh-security-best-practices/

Change Default Passwords

It is strongly recommended to change default user passwords for better security of your Bahmni server. Please refer to the list of configurable installation variables here.

Further Reading For Securing the Server

  1. Please read this document to understand other security measures you can take for your Bahmni server: 

    1. https://www.digitalocean.com/community/tutorials/7-security-measures-to-protect-your-servers.

    2. https://www.digitalocean.com/community/tutorials/recommended-security-measures-to-protect-your-servers

  2. You can also consider installing intrusion detection softwares like Fail2Ban, which monitor intrusion attempts to your server, and block that traffic temporarily.