Deaddrop is either installed from an ISO-file or by using a VHD-file for an Azure installation.
Boot the server from the ISO-file downloaded from https://portal.sysctl.se. The installation require to set the root password, the rest is unattended.
The installation require UEFI boot and if a virtualization environment is used, Linux and Fedora could be selected for the operating system setting.
Let the installation run and login to the console after the reboot to configure the rest.
Configure the IP address in the file “/etc/NetworkManager/system-connections/enp1s0.nmconnection” with the VI text editor. The interface name “enp1s0” can be another name depending on the hardware.
Edit the ipv4 and ipv6 sections:
[ipv4]
method=manual
address=1.2.3.4/24
gateway=1.2.3.1
dns=8.8.8.8 8.8.4.4
[ipv6]
method=disabled
After the configuration the network service needs to be restarted with the command “systemctl restart network”.
Verify that the server is reachable with SSH.
The default partition may be changed depending on the installation
To see the current partition table use the command df -h
Depending on the usage, expand the /var partition. The following example will expand the partition with 100Gb
/usr/sbin/lvextend -r -L+100G /dev/mapper/root_vg-lv_var
The server needs to have a fully qualified domain name (FQDN) configured. The FQDN should reflect the subject alt name (SAN) in the certificate for the ICC and Repo server installation.
To configure hostname use the following command
/usr/bin/hostnamectl set-hostname servername.domain.tld
Create a private key and a certificate signing request and sign it by a trusted CA
Copy the private key to /opt/sysctl/deaddrop/etc/deaddrop/certs/FQDN.key
Copy the signed certificate to /opt/sysctl/deaddrop/etc/deaddrop/certs/FQDN.crt and append the issuing CAs and root CA to the same file.
Ensure the /opt/sysctl/deaddrop/etc/deaddrop//conf.d/cert.d/cert.conf match the correct path to the certificates and private key.
SSLCertificateFile /opt/sysctl/impex-server/etc/apache/certs/FQDN.crt SSLCertificateKeyFile /opt/sysctl/impex-server/etc/apache/certs/FQDN.key
The out-of-the-box configuration for deaddrop is created to focus on security where parameters are selected to be as secure as possible. The setup also allows administrators to configure some of the system and application parameter values so the system can be compliant with internal policies.
The following configuration is static but it may enhance over time, depending on new releases of the platform where new web setup options are available in the base system components, e.g. apache.
The deaddrop service and the graphical administration interface uses the HTTPS, i.e. HTTP with the TLS protocol, to protect the communication.
As per the default setup, the following cipher suites is allowed in the TLS connection to the deaddrop server:
This list is a small subset of the full set of protocol cipher suites that TLS allows. The list is trimmed to just allow the more secure variants, but also at the same time versions that are compatible with the latest versions of the web browsers.
The following variants of the TLS protocol are allowed:
Older versions of the protocol, called TLS 1, TLS 1.1, and SSL, are not allowed in the default setup.
Deaddrop use HSTS1 to enforce encrypted communications once a secure connection has been made
Deaddrop can be configured to be protected behind a proxy
Deaddrop can be configured to use HKPK (i.e. certificate pinning)
The system is configured with a local firewall which only allows inbound access to on the following ports
Port 22 is used for SSH access.
Port 80 is a redirect to port 443.
Port 8443 is used for the administrative web interface
It’s strongly recommended to block access, besides for the internal administrators access, to the following TCP/IP ports
For all firewall rules that may be needed, see the network diagram for deaddrop.
The following configuration is or should be configured
All configuration can be configured on the administrator web interface
All SMS configuration can be configured on the administrator web interface
To configure deaddrop with SAML or x509 certificates see the seperate documnetation provided by sysctl
deaddrop use a default repository for updates. If a custom repository is needed, the default repo needs to be cloned and exposed to deaddrop to allow updates. A custom repository also required ddplugin-upgrade to be installed.
To let deaddrop use a custom repository set the configuration local_repo to specify the repository file that should be used.
The local_repo configuration should use a correct repository configuration file.
When a custom repository is activated, only upgrade.service should be used to update the system to ensure correct repoistory configuration.
© Copyright sysctl Aktiebolag 2013-2024. All rights reserved
https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security ↩