2019-07-18 21:25:53 -05:00
|
|
|
# General
|
2016-10-07 11:21:19 +00:00
|
|
|
|
2019-07-18 21:25:53 -05:00
|
|
|
Like any good software we take security seriously. However, bugs do
|
|
|
|
|
make it into the software along with the history of the code base we
|
|
|
|
|
inherited. It's how we deal with identified vulnerabilities that
|
|
|
|
|
should show that we take things seriously.
|
2016-10-07 11:21:19 +00:00
|
|
|
|
2022-02-16 02:43:48 +01:00
|
|
|
## Securing your install
|
2019-07-18 21:25:53 -05:00
|
|
|
|
|
|
|
|
As with any system of this nature, we highly recommend that you
|
|
|
|
|
restrict access to the install via a firewall or VPN.
|
|
|
|
|
|
2023-09-18 11:11:44 -05:00
|
|
|
Please ensure you keep your install [up to date](Updating.md).
|
|
|
|
|
|
|
|
|
|
### Enable HTTPS
|
|
|
|
|
|
2019-07-18 21:25:53 -05:00
|
|
|
It is also highly recommended that the Web interface is protected with
|
|
|
|
|
an SSL certificate such as ones provided by [LetsEncrypt](http://www.letsencrypt.org).
|
2016-10-07 11:21:19 +00:00
|
|
|
|
2023-09-18 11:11:44 -05:00
|
|
|
### Secure Session Cookies
|
|
|
|
|
|
|
|
|
|
Once you have enabled HTTPS for your install, you should set `SESSION_SECURE_COOKIE=true`
|
|
|
|
|
in your .env file. This will require cookies to be transferred by secure protocol and
|
|
|
|
|
prevent any MiM attacks against it.
|
2016-10-07 11:21:19 +00:00
|
|
|
|
2022-02-16 02:43:48 +01:00
|
|
|
### Trusted Proxies
|
2021-10-03 14:13:20 -05:00
|
|
|
|
|
|
|
|
When using a reverse proxy, you may restrict the hosts allowed to forward
|
|
|
|
|
headers to LibreNMS. By default this allows all proxies, due to legacy reasons.
|
|
|
|
|
|
|
|
|
|
Set APP_TRUSTED_PROXIES in your .env to an empty string or the urls to
|
|
|
|
|
the proxies allowed to forward.
|
|
|
|
|
|
2022-02-16 02:43:48 +01:00
|
|
|
## Reporting vulnerabilities
|
2019-07-18 21:25:53 -05:00
|
|
|
|
|
|
|
|
Like anyone, we appreciate the work people put in to find flaws in
|
|
|
|
|
software and welcome anyone to do so with LibreNMS, this will lead to
|
|
|
|
|
better quality and more secure software for everyone.
|
|
|
|
|
|
|
|
|
|
If you think you've found a vulnerability and want to discuss it with
|
2021-10-03 11:20:26 -05:00
|
|
|
some of the core team then you can contact us on
|
|
|
|
|
[Discord](https://discord.com/invite/librenms) and we will endeavour to
|
2019-07-18 21:25:53 -05:00
|
|
|
get back to as quick as we can, this is usually within 24 hours.
|
2016-10-07 11:21:19 +00:00
|
|
|
|
2021-10-03 11:20:26 -05:00
|
|
|
We are happy to attribute credit to the findings, but we ask that we're
|
2019-07-18 21:25:53 -05:00
|
|
|
given a chance to patch any vulnerability before public disclosure so
|
|
|
|
|
that our users can update as soon as a fix is available.
|
2016-10-07 11:21:19 +00:00
|
|
|
|
