TySS-Dev/PacCrypt-Webapp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c6d480aa12c5a49e162266f980e0a0de4bf58c6d
PacCrypt-Webapp/SECURITY.md
T
Tyler Sammons 38d3b7e6c1 More towards the roadmap
2025-09-15 12:55:01 -10:00

298 lines
7.8 KiB
Markdown
Raw Blame History

# PacCrypt Security Features 🔒
This document outlines the security enhancements added to PacCrypt, including setup instructions and configuration options.
## 🚀 New Security Features
### 1. Rate Limiting
- **API Endpoints**: Prevents abuse with configurable rate limits
- **Default Limits**:
- `/api/algorithms`: 100 requests/minute
- `/api/encrypt`, `/api/decrypt`: 30 requests/minute
- `/api/generate-keypair`: 10 requests/minute
- `/api/pacshare`: 10 requests/minute
- Global default: 1000 requests/hour
### 2. Session Timeout
- **Admin Sessions**: Automatic timeout after configurable period (default: 30 minutes)
- **Security**: Sessions are cleared and require re-authentication
- **Logging**: Session timeouts are logged for audit purposes
### 3. File Virus Scanning
- **Integration**: ClamAV antivirus scanning before encryption
- **Automatic**: All uploaded files are scanned
- **Logging**: Scan results and virus detections are logged
- **Graceful Degradation**: If ClamAV is unavailable, scanning is skipped with warning
### 4. IP Whitelisting
- **Admin Access**: Restrict admin panel access to specific IP addresses
- **CIDR Support**: Supports both single IPs and CIDR notation (e.g., `192.168.1.0/24`)
- **Flexible**: Empty whitelist allows all IPs (default behavior)
- **Logging**: Unauthorized access attempts are logged
### 5. Enhanced Audit Logging
- **Encrypted Logs**: All admin actions are encrypted and logged
- **Comprehensive**: Login attempts, file operations, security events
- **IP Tracking**: Source IP addresses are logged for security monitoring
## 🛠️ Installation & Setup
### Prerequisites
```bash
# Update package lists
sudo apt update
# Install Python dependencies
pip install -r application_data/requirements.txt
```
### ClamAV Setup (Required for Virus Scanning)
#### Ubuntu/Debian:
```bash
# Install ClamAV
sudo apt install clamav clamav-daemon
# Update virus definitions
sudo freshclam
# Start ClamAV daemon
sudo systemctl start clamav-daemon
sudo systemctl enable clamav-daemon
# Verify installation
sudo systemctl status clamav-daemon
```
#### CentOS/RHEL:
```bash
# Install EPEL repository
sudo yum install epel-release
# Install ClamAV
sudo yum install clamav clamav-server clamav-update
# Update virus definitions
sudo freshclam
# Start services
sudo systemctl start clamd@scan
sudo systemctl enable clamd@scan
```
#### Manual Configuration:
If ClamAV fails to start, you may need to configure it manually:
```bash
# Edit configuration
sudo nano /etc/clamav/clamd.conf
# Remove or comment out the "Example" line
# Example
# Set socket permissions
sudo chown clamav:clamav /var/run/clamav/clamd.ctl
sudo chmod 666 /var/run/clamav/clamd.ctl
# Restart daemon
sudo systemctl restart clamav-daemon
```
### Testing ClamAV Integration
```bash
# Test if ClamAV is working
clamscan --version
# Test daemon connection
clamdscan --version
# Test with EICAR test file (harmless test virus)
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar.txt
clamscan /tmp/eicar.txt
```
## ⚙️ Configuration
### Admin Settings Panel
Access the admin settings at `/admin-settings` to configure:
1. **Session Timeout**: Set admin session timeout (minutes)
2. **Virus Scanning**: Enable/disable ClamAV scanning
3. **IP Whitelist**: Configure allowed admin IP addresses
4. **File Limits**: Upload size and retention settings
### Manual Configuration
Edit `application_data/settings.json`:
```json
{
"upload_folder": "pacshare",
"max_file_age_days": 14,
"max_file_size_bytes": 26843545600,
"admin_ip_whitelist": [
"192.168.1.100",
"10.0.0.0/8",
"127.0.0.1"
],
"virus_scanning_enabled": true,
"session_timeout_minutes": 30,
"rate_limit_per_minute": 60,
"rate_limit_per_hour": 1000
}
```
### IP Whitelist Examples
```json
"admin_ip_whitelist": [
"127.0.0.1", // Local access only
"192.168.1.100", // Specific IP
"192.168.1.0/24", // Local network
"10.0.0.0/8", // Private network range
"203.0.113.0/24" // Public IP range
]
```
## 🔍 Security Monitoring
### Log Files
- **Admin Logs**: `application_data/admin_logs.enc` (encrypted)
- **Application Logs**: Check console output for security events
### Key Events Logged
- Admin login/logout attempts
- Session timeouts
- IP whitelist violations
- Virus scan results
- File upload/download activities
- Rate limit violations
### Viewing Admin Logs
Access encrypted logs via the admin panel at `/admin-logs` or programmatically:
```python
# Example: View recent security events
key = load_admin_key()
cipher = Fernet(key)
with open('application_data/admin_logs.enc', 'rb') as f:
for line in f:
if line.strip():
decrypted = cipher.decrypt(line.strip())
print(decrypted.decode())
```
## 🚨 Security Best Practices
### 1. Regular Updates
```bash
# Update virus definitions
sudo freshclam
# Update Python dependencies
pip install --upgrade -r application_data/requirements.txt
```
### 2. Firewall Configuration
```bash
# UFW example - restrict admin access
sudo ufw allow from 192.168.1.0/24 to any port 5000
sudo ufw deny 5000
```
### 3. HTTPS Configuration
Always use HTTPS in production. Example nginx config:
```nginx
server {
listen 443 ssl http2;
server_name your-domain.com;
# Rate limiting
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/m;
location /api/ {
limit_req zone=api burst=5 nodelay;
proxy_pass http://127.0.0.1:5000;
}
location /admin {
# Additional admin restrictions
allow 192.168.1.0/24;
deny all;
proxy_pass http://127.0.0.1:5000;
}
}
```
### 4. Regular Security Audits
- Review admin logs regularly
- Monitor rate limit violations
- Check for unauthorized access attempts
- Verify virus scan effectiveness
## 🐛 Troubleshooting
### ClamAV Issues
```bash
# Check ClamAV status
sudo systemctl status clamav-daemon
# View ClamAV logs
sudo journalctl -u clamav-daemon
# Test socket connection
sudo -u clamav clamdscan --ping
# Manual socket creation
sudo mkdir -p /var/run/clamav
sudo chown clamav:clamav /var/run/clamav
```
### Rate Limiting Issues
- Check if requests are being properly limited
- Verify Flask-Limiter configuration
- Monitor application logs for rate limit errors
### Session Timeout Issues
- Verify session configuration in settings
- Check if `session.permanent = True` is set
- Ensure proper timezone handling
### IP Whitelist Issues
- Verify IP address format (CIDR notation)
- Check if client IP is correctly detected
- Consider proxy/load balancer IP forwarding
## 📋 Security Checklist
- [ ] ClamAV installed and running
- [ ] Virus definitions up to date
- [ ] Admin IP whitelist configured
- [ ] Session timeout configured
- [ ] Rate limiting tested
- [ ] HTTPS enabled in production
- [ ] Firewall rules configured
- [ ] Regular log monitoring set up
- [ ] Backup procedures for encrypted logs
- [ ] Security update schedule established
## 🔗 Related Documentation
- [Main README](README.md) - General installation and usage
- [API Documentation](API.md) - API endpoint details
- [Roadmap](ROADMAP.md) - Future security enhancements
---
**⚠️ Important Security Notes:**
1. **Default Configuration**: By default, IP whitelisting is disabled (empty list). Configure it for production use.
2. **ClamAV Dependency**: Virus scanning requires ClamAV. If not installed, scanning is skipped with warnings.
3. **Rate Limiting**: Default limits are conservative. Adjust based on your usage patterns.
4. **Log Encryption**: Admin logs are encrypted with the same key as admin credentials. Backup this key securely.
5. **Session Security**: Sessions use Flask's built-in session management. Consider Redis for distributed deployments.
For security questions or issues, please refer to the GitHub Issues page.
Reference in New Issue View Git Blame Copy Permalink