I wanted to start some open dialogue on what everyone is doing to harden their SimpleHelp environments from a security prospective? Has anyone used public IP ranges in “Technician Client Restrictions”?
We use the Tech IP restriction to limit initiation of sessions to our internal network. We then limit the /statuspage to a couple of monitoring servers, then also have a separate set of whitelisted IPs for the API which we use quite a lot.
In terms of general security hardening, off the top of my head we do the following
- Redirect https to https
- Reduce the security protocols to tlsv1.2 only
- Modified the cipher set to remove weak ciphers
- Have custom http headers
- Use two factor authentication
- Have all of our authentication failures, sucesses sent to a log indexer.
Thanks for the reply. We haven’t messed with the custom http headers
1 other thing is simple firewall rules.
We allow only allow 443 to connect to the server. We block all other ports.
We only allow the connection to the specified ip.
For management, of the server we only allow internal ips on a whitelist thats turned on and off as needed.
All other services on the server are turned off unless they are needed for the box to run.
The server only runs simplehelp.
Thanks for the reply. We only allow 443 UDP/TCP. We have disabled the VNC mobile feature.
What about remote servers?
Mine is on a cheap vps running Ubuntu 18.04 (I’m just discovering SimpleHelp at the moment)
What I’ve done so far :
- changed ssh port to a random one, allowing only a non sudo user to login with ssh key + passphrase (actually I even uninstalled the sudo package)
- closed every incomming ports exept for the random ssh one and 443 with ufw
- enabled TOPT 2FA for SimpleHelpAdmin
- enabled email based 2FA for tecnicians
What I’d like to add when I’ll actually switch to SimpleHelp :
- a fail2ban rule that ban ip every 2 failed tecnician login attempt within a day (I’ll post the jail if anyone is interested once I figure it out)
- geoip restrictions with iptables
We are currently kicking around securing things a bit more also by only allowing connections via vpn adapter on the server. Then having technicians stay connected to VPN through the day to be able to use technician client.
The plan is to use wireguard as it is cross-platform, has very small overhead, and is super fast. Also included in latest Ubuntu Server (20.04).
I’ve been waiting for the latest Ubuntu 20.04 to drop, but now that it’s here I have it on the short list to migrate our install to a new server and test the VPN with wireguard. Haven’t tested yet, but once we do we will share what we did here.