Server Security Recommendations


#1

Hello

Are there any recommendations for hardening a Jitsi server beyond the port restrictions in the firewall?

Like, are there any WAF profiles for it or something?

Thanks and great work on this software.
Jake


#2

The only thing I did so far is securing the room creation.
I also have a reverse proxy in front of the Jitsi server so it logs all the http GET.

What I need to work on now is not to start Jitsi as root but just as a simple user.


#3

Running as a non privileged user would be a definite improvement in security.

I looked around here and on github, there doesn’t seem to be any documentation for this. Could you point me the right way?


#4

If one uses the debian packages, the services are started under special users (“jicofo”, “jigasi”, “jvb”, etc.), all members of the group “jitsi” and the rights on folders and files are being set accordingly. You can see for reference the JVB postinst: https://github.com/jitsi/jitsi-videobridge/blob/master/resources/install/debian/postinst

I believe Mikygee is installing on OpenBSD, hence the differences (but it’s good to do it under non-privileged users there too).

Your OP was for web application firewalls, regarding this I can’t say much, except maybe if your firewall rules support filtering WebRTC traffic, to try allowing that. There is communication on port 443 TCP to the web server (or JVB) and 10000 UDP to JVB only. Port 80 TCP can be used for redirect to HTTPS.

If all is installed on one machine, all other traffic is internal, to the Prosody XMPP installed on the same machine. If the platform is on multiple machines, you have to take into account the XMPP traffic – jvb, jicofo, jigasi, jibri they all need to connect to XMPP, but this can be installed in the DMZ and secured, as nothing from outside needs to connect there. Only jvb has to be accessible on 10000 UDP.

I hope this helps.


#5

I see what you mean on the user group. Thanks.

And prosody would be on the same server for simplicity. No problems there.

There is simply too little written about WAFs(modsecurity in particular) in connection with video conf. Shame.