Versions Compared

Old Version 25

changes.mady.by.user Karel Kyovsky

Saved on

compared with

New Version Current

changes.mady.by.user Charles Wernicke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

7777 is required for insecure admin access

  • Initially used until the Administration VPN admin is configured, then disabled.

  • See below: unprotected ADMIN access

  • Block public port 7777 after enabling the Admin Administration VPN.

[12000 to through 12050] are also required if you use the VPN for CAS Admin Administration access via VPN.

7743 is OPTIONAL - may be used by various extensions (Onfido, etc).

  • when in doubt, enhance tighten security by keeping this port blocked. You can always turn it back on again later if necessary, but you can’t undo a security breach. Block it to be safe.

...

...

In the interest of security, you should always employ a firewall on your CAS server.

...

Option 1 (

...

Easiest): Configure UFW

UFW, or Uncomplicated FirewallFireWall, is a simplified firewall management interface. It controls “iptables” without the college degree. UFW is included (by default) with Ubuntu. These instructions will restrict access solely to your terminals and those people with whom you deliberately share access to CAS.

...

Code Block
sudo ufw allow ssh

For extra increased security, you might limit access to a specific IP:

  • sudo ufw allow from ALLOWED_IP to any port 22

  • replace ALLOWED_IP with the specific public IP to which you wish to grant access.

  • this security enhancement can lock you out of your server, proceed with caution - and make sure that the IP you are permitting is the correct one (and will be until you deliberately change it).

  • If your access IP changes (and you are locked out), you can still login to your Digital Ocean droplet and change the UFW settings - but that is outside the scope of GB Support. Contact Digital Ocean.

...

3. BATM/

...

Terminals

Terminals (v.20230801+) employing the VPN normally use only ports 7742, and 13000 through 13010.

  • Port 7741 may need to be exposed under certain conditions.

    • Port 7741 is only used for the initial connection to your CAS, e.g. when the BATM is brand new (or factory reset) and has never connected to a your CAS before.

  • Digital Ocean droplets routinely use “eth0" as the public interface name.

    • Other hosts may vary, use ip a to see all available interfaces in that case.

    • Replace eth0 (on the relevant UFW line) with that name.

...

First-time connection to CAS

If you are connecting a new BATM, you will need to temporarily expose port 7741:

sudo ufw allow 7741/tcp

After you’ve connected the BATM, remove the UFW exception with:

sudo ufw deny 7741/tcp

...

4.

...

Administrative Access

Allow administrative access to CAS. Without this access, you cannot login or control your to the CAS GUI.

  • Only one single Client (e.g. laptop, desktop, cell phone) credential may only be used at a time.

    • e.g. the laptop & cell phone cannot both be connected simultaneously,

    • UNLESS they use separate/different/unique sets of Client credentials.

  • Digital Ocean droplets routinely use “eth0" as the public interface name.

    • Other hosts may vary, use ip a to see all available interfaces in that case.

    • Replace eth0 (on the relevant UFW lines below) with that name.

Secure admin rules:

  1. Set up /wiki/spaces/ESD/pages/2807791617 and

  2. configure Configure the firewall integrated admin VPN:

...

  • each user credential has its own VPN port and 12000:12050 permits access to 50 admin GUI users.

Alternatives:

Less secure option:

If you have a static IP on your home/office and won’t use the integrated VPN:

sudo ufw allow from ALLOWED_IP to any port 7777

  • Set ALLOWED_IP to your home/office PUBLIC IP.

    • Determine your current public IP with your browser; navigate to this website: My IP

    • In some cases the IP will change frequently, and you’ll have to go in frequently and update it.

If you use nginx as a proxy server, then change the port as follows:

sudo ufw allow from ALLOWED_IP to any port 443

Completely unprotected (strongly discouraged):

This will expose your server to attack (and there’s little reason to even use a firewall in this case):

sudo ufw allow 7777/tcp

...

These are examples using the iptables command. This option is for experts that employ a custom firewall. UFW saves configurations, but iptables does not. You’ll have to implement your own deployment scheme. Do not use iptables (or proceed) unless you are willing to accept all involved risks.

...