TySS-Dev/PacCrypt-Webapp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ae19598750fe7bfe2a1ef57a25d799fc8a60017d
PacCrypt-Webapp/SECURITY.md
T
Tyler Sammons 38d3b7e6c1 More towards the roadmap
2025-09-15 12:55:01 -10:00

7.8 KiB
Raw Blame History

PacCrypt Security Features 🔒

This document outlines the security enhancements added to PacCrypt, including setup instructions and configuration options.

🚀 New Security Features

1. Rate Limiting

  • API Endpoints: Prevents abuse with configurable rate limits
  • Default Limits:
    • /api/algorithms: 100 requests/minute
    • /api/encrypt, /api/decrypt: 30 requests/minute
    • /api/generate-keypair: 10 requests/minute
    • /api/pacshare: 10 requests/minute
    • Global default: 1000 requests/hour

2. Session Timeout

  • Admin Sessions: Automatic timeout after configurable period (default: 30 minutes)
  • Security: Sessions are cleared and require re-authentication
  • Logging: Session timeouts are logged for audit purposes

3. File Virus Scanning

  • Integration: ClamAV antivirus scanning before encryption
  • Automatic: All uploaded files are scanned
  • Logging: Scan results and virus detections are logged
  • Graceful Degradation: If ClamAV is unavailable, scanning is skipped with warning

4. IP Whitelisting

  • Admin Access: Restrict admin panel access to specific IP addresses
  • CIDR Support: Supports both single IPs and CIDR notation (e.g., 192.168.1.0/24)
  • Flexible: Empty whitelist allows all IPs (default behavior)
  • Logging: Unauthorized access attempts are logged

5. Enhanced Audit Logging

  • Encrypted Logs: All admin actions are encrypted and logged
  • Comprehensive: Login attempts, file operations, security events
  • IP Tracking: Source IP addresses are logged for security monitoring

🛠️ Installation & Setup

Prerequisites

# Update package lists
sudo apt update

# Install Python dependencies
pip install -r application_data/requirements.txt

ClamAV Setup (Required for Virus Scanning)

Ubuntu/Debian:

# Install ClamAV
sudo apt install clamav clamav-daemon

# Update virus definitions
sudo freshclam

# Start ClamAV daemon
sudo systemctl start clamav-daemon
sudo systemctl enable clamav-daemon

# Verify installation
sudo systemctl status clamav-daemon

CentOS/RHEL:

# Install EPEL repository
sudo yum install epel-release

# Install ClamAV
sudo yum install clamav clamav-server clamav-update

# Update virus definitions
sudo freshclam

# Start services
sudo systemctl start clamd@scan
sudo systemctl enable clamd@scan

Manual Configuration:

If ClamAV fails to start, you may need to configure it manually:

# Edit configuration
sudo nano /etc/clamav/clamd.conf

# Remove or comment out the "Example" line
# Example

# Set socket permissions
sudo chown clamav:clamav /var/run/clamav/clamd.ctl
sudo chmod 666 /var/run/clamav/clamd.ctl

# Restart daemon
sudo systemctl restart clamav-daemon

Testing ClamAV Integration

# Test if ClamAV is working
clamscan --version

# Test daemon connection
clamdscan --version

# Test with EICAR test file (harmless test virus)
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar.txt
clamscan /tmp/eicar.txt

⚙️ Configuration

Admin Settings Panel

Access the admin settings at /admin-settings to configure:

  1. Session Timeout: Set admin session timeout (minutes)
  2. Virus Scanning: Enable/disable ClamAV scanning
  3. IP Whitelist: Configure allowed admin IP addresses
  4. File Limits: Upload size and retention settings

Manual Configuration

Edit application_data/settings.json:

{
  "upload_folder": "pacshare",
  "max_file_age_days": 14,
  "max_file_size_bytes": 26843545600,
  "admin_ip_whitelist": [
    "192.168.1.100",
    "10.0.0.0/8",
    "127.0.0.1"
  ],
  "virus_scanning_enabled": true,
  "session_timeout_minutes": 30,
  "rate_limit_per_minute": 60,
  "rate_limit_per_hour": 1000
}

IP Whitelist Examples

"admin_ip_whitelist": [
  "127.0.0.1",              // Local access only
  "192.168.1.100",          // Specific IP
  "192.168.1.0/24",         // Local network
  "10.0.0.0/8",             // Private network range
  "203.0.113.0/24"          // Public IP range
]

🔍 Security Monitoring

Log Files

  • Admin Logs: application_data/admin_logs.enc (encrypted)
  • Application Logs: Check console output for security events

Key Events Logged

  • Admin login/logout attempts
  • Session timeouts
  • IP whitelist violations
  • Virus scan results
  • File upload/download activities
  • Rate limit violations

Viewing Admin Logs

Access encrypted logs via the admin panel at /admin-logs or programmatically:

# Example: View recent security events
key = load_admin_key()
cipher = Fernet(key)
with open('application_data/admin_logs.enc', 'rb') as f:
    for line in f:
        if line.strip():
            decrypted = cipher.decrypt(line.strip())
            print(decrypted.decode())

🚨 Security Best Practices

1. Regular Updates

# Update virus definitions
sudo freshclam

# Update Python dependencies
pip install --upgrade -r application_data/requirements.txt

2. Firewall Configuration

# UFW example - restrict admin access
sudo ufw allow from 192.168.1.0/24 to any port 5000
sudo ufw deny 5000

3. HTTPS Configuration

Always use HTTPS in production. Example nginx config:

server {
    listen 443 ssl http2;
    server_name your-domain.com;

    # Rate limiting
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/m;

    location /api/ {
        limit_req zone=api burst=5 nodelay;
        proxy_pass http://127.0.0.1:5000;
    }

    location /admin {
        # Additional admin restrictions
        allow 192.168.1.0/24;
        deny all;
        proxy_pass http://127.0.0.1:5000;
    }
}

4. Regular Security Audits

  • Review admin logs regularly
  • Monitor rate limit violations
  • Check for unauthorized access attempts
  • Verify virus scan effectiveness

🐛 Troubleshooting

ClamAV Issues

# Check ClamAV status
sudo systemctl status clamav-daemon

# View ClamAV logs
sudo journalctl -u clamav-daemon

# Test socket connection
sudo -u clamav clamdscan --ping

# Manual socket creation
sudo mkdir -p /var/run/clamav
sudo chown clamav:clamav /var/run/clamav

Rate Limiting Issues

  • Check if requests are being properly limited
  • Verify Flask-Limiter configuration
  • Monitor application logs for rate limit errors

Session Timeout Issues

  • Verify session configuration in settings
  • Check if session.permanent = True is set
  • Ensure proper timezone handling

IP Whitelist Issues

  • Verify IP address format (CIDR notation)
  • Check if client IP is correctly detected
  • Consider proxy/load balancer IP forwarding

📋 Security Checklist

  • ClamAV installed and running
  • Virus definitions up to date
  • Admin IP whitelist configured
  • Session timeout configured
  • Rate limiting tested
  • HTTPS enabled in production
  • Firewall rules configured
  • Regular log monitoring set up
  • Backup procedures for encrypted logs
  • Security update schedule established

🔗 Related Documentation

⚠️ Important Security Notes:

  1. Default Configuration: By default, IP whitelisting is disabled (empty list). Configure it for production use.

  2. ClamAV Dependency: Virus scanning requires ClamAV. If not installed, scanning is skipped with warnings.

  3. Rate Limiting: Default limits are conservative. Adjust based on your usage patterns.

  4. Log Encryption: Admin logs are encrypted with the same key as admin credentials. Backup this key securely.

  5. Session Security: Sessions use Flask's built-in session management. Consider Redis for distributed deployments.

For security questions or issues, please refer to the GitHub Issues page.

Reference in New Issue View Git Blame Copy Permalink