Sysadmin Guide

General Security


Securing file permissions

This section describes the best way to secure your filesystem.

  1. Create a new deskpro user on your server.
  2. Change the owner of all files to the deskpro user. For example, on Linux:
chown -R deskpro:deskpro /path/to/deskpro

And make sure to disable write permission on files and directories:

find . -type d -print0 | xargs -0 chmod 755
find . -type f -not -path "*/bin/*" -print0 | xargs -0 chmod 644
  1. The web server still needs to write to a few specific directories, so you need to make them writable:
chmod -R 0777 /path/to/deskpro/attachments /path/to/deskpro/var

Note

If you want to secure permissions even more, you can use groups or ACL’s to make it so only deskpro and your web server user (e.g. www or nobody) can write to these directories, instead of world like we show here.

  1. Next, you need to re-configure scheduled tasks for automatic updates. Since your regular task is now running as a user who cannot modify the filesystem, it means the updater won’t work; it will cause a permission error.

    So you need to create a new task that only performs the update task, and you need to run it as the deskpro user you just created.

    • Edit the scheduled task you already have configured on your server. The command will be for bin/cron. Change it to bin/cron --no-auto-updater
    • Create a NEW schedueld task that runs minutely that is run by your deskpro user. This time, create the task bin/cron --auto-updater

    For example, here’s what a <cite style="box-sizing: border-box;">/etc/crontab</cite> might look like:

* * * * * www-data /opt/deskpro/bin/cron --no-auto-updater
* * * * * deskpro  /opt/deskpro/bin/cron --auto-updater

Server access

Ensure your various services (MySQL, mail, Elasticsearch etc) are not accessible from the internet.

For example:

  • Enable the firewall and only open specific service ports
  • For internally-used servers like MySQL, only allow access from machines that require it.
  • MySQL’s own account management features allow you to specify specific hosts on user accounts. For example, if MySQL is only used locally on the same server as Deskpro, you should create a user 'deskpro'@'localhost'. The localhost host means that user can only be used locally.

Enable IP Whitelisting

Enable IP Whitelisting in Admin > Agents > Settings.

Monitoring

Install intrusion-detection software such as OSSEC (see also this useful guide ).

This class of software helps you monitor files and log files so you can be notified when something changes.

Comments (0)

Add a comment

Add a comment

You need to log in before you can submit a comment.

Need a password reminder?