Securing file permissions
This section describes the best way to secure your filesystem.
- Create a new
deskprouser on your server. - Change the owner of all files to the
deskprouser. For example, on Linux:
chown -R deskpro:deskpro /path/to/deskpro
copyAnd make sure to disable write permission on files and directories:
find . -type d -print0 | xargs -0 chmod 755
find . -type f -not -path "*/bin/*" -print0 | xargs -0 chmod 644
copy- The web server still needs to write to a few specific directories, so you need to make them writable:
chmod -R 0777 /path/to/deskpro/attachments /path/to/deskpro/var
copyNote
If you want to secure permissions even more, you can use groups or ACL’s to make it so only deskpro and your web server user (e.g. www or nobody) can write to these directories, instead of world like we show here.
-
Next, you need to re-configure scheduled tasks for automatic updates. Since your regular task is now running as a user who cannot modify the filesystem, it means the updater won’t work; it will cause a permission error.
So you need to create a new task that only performs the update task, and you need to run it as the
deskprouser you just created.- Edit the scheduled task you already have configured on your server. The command will be for
bin/cron. Change it tobin/cron --no-auto-updater - Create a NEW schedueld task that runs minutely that is run by your
deskprouser. This time, create the taskbin/cron --auto-updater
For example, here’s what a <cite style="box-sizing: border-box;">/etc/crontab</cite> might look like:
- Edit the scheduled task you already have configured on your server. The command will be for
* * * * * www-data /opt/deskpro/bin/cron --no-auto-updater
* * * * * deskpro /opt/deskpro/bin/cron --auto-updater
copyServer access
Ensure your various services (MySQL, mail, Elasticsearch etc) are not accessible from the internet.
For example:
- Enable the firewall and only open specific service ports
- For internally-used servers like MySQL, only allow access from machines that require it.
- MySQL’s own account management features allow you to specify specific hosts on user accounts. For example, if MySQL is only used locally on the same server as Deskpro, you should create a user
'deskpro'@'localhost'. The localhost host means that user can only be used locally.
Enable IP Whitelisting
Enable IP Whitelisting in Admin > Agents > Settings.
Monitoring
Install intrusion-detection software such as OSSEC (see also this useful guide ).
This class of software helps you monitor files and log files so you can be notified when something changes.
Force global password reset
There may be situatons where you want to force all your users and/or agents to reset their helpdesk passwords. We have made this easy with a single command to be run.
bin/console dp:require-password-reset <opt>
copyYou will replace the <opt> parameter with one of these options to define who you wish to be affected by this change:
agents-- agents onlyadmins-- admins onlyusers-- users onlyall-- every user in the system
The command will block the person from accessing the helpdesk after any login attempt, and trigger a password reset email to their email address. The person will then need to click on a token link within their email address.
If the person cannot access their email, an agent can carry out the password reset for them. When using this method, the person will not be able to use their previous password.
请登录或注册以提交评论。