Timmy_Foundation/timmy-academy
15
0
Fork 0
Code Issues 5 Pull Requests 6 Actions Packages Projects Releases Wiki Activity
Files
d7ca9c8c83b3cefeaf197df6d3e1f56a9932f4e8
timmy-academy/docs/SECURITY.md
Alexander Whitestone d7ca9c8c83 fix: bind telnet and web client to localhost only (#9) 
Security fix: Change from 0.0.0.0 to 127.0.0.1 for both TELNET_INTERFACES
and WEBSERVER_INTERFACES. Prevents unauthorized external access.

Added docs/SECURITY.md with:
- TLS setup instructions (nginx, caddy)
- SSH tunnel for development
- Firewall rules if external access needed

Closes #9.
2026-04-15 12:36:56 -04:00

100 lines
2.3 KiB
Markdown
Raw Blame History

# Security Configuration
## Network Binding
By default, Timmy Academy binds to `127.0.0.1` (localhost only) for security.
- **Telnet**: `127.0.0.1:4000`
- **Web Client**: `127.0.0.1:4001`
This prevents unauthorized external access.
## External Access with TLS
For external access, use a reverse proxy with TLS:
### Option 1: Nginx
```nginx
# /etc/nginx/sites-available/timmy-academy
server {
listen 443 ssl;
server_name academy.timmy.foundation;
ssl_certificate /etc/letsencrypt/live/academy.timmy.foundation/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/academy.timmy.foundation/privkey.pem;
# Web client
location / {
proxy_pass http://127.0.0.1:4001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
# Telnet via WebSocket (if needed)
location /telnet {
proxy_pass http://127.0.0.1:4000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name academy.timmy.foundation;
return 301 https://$server$request_uri;
}
```
### Option 2: Caddy
```caddyfile
# /etc/caddy/Caddyfile
academy.timmy.foundation {
reverse_proxy localhost:4001
}
```
Caddy automatically handles TLS certificates.
## SSH Tunnel (Development)
For development access without setting up a reverse proxy:
```bash
# From your local machine
ssh -L 4000:127.0.0.1:4000 -L 4001:127.0.0.1:4001 user@server
# Then connect to localhost:4000 (telnet) or localhost:4001 (web)
```
## Firewall Rules
If you must bind to `0.0.0.0` (NOT RECOMMENDED), use firewall rules:
```bash
# UFW (Ubuntu)
sudo -S -p '' ufw allow from 10.0.0.0/8 to any port 4000
sudo -S -p '' ufw allow from 10.0.0.0/8 to any port 4001
# iptables
iptables -A INPUT -p tcp --dport 4000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 4000 -j DROP
```
## Why This Matters
- Telnet transmits passwords in plaintext
- Web client without TLS exposes session cookies
- `0.0.0.0` binds to ALL network interfaces
- Attackers can intercept credentials on shared networks
## References
- Issue #9: [academy] Telnet and web client on 0.0.0.0 — no TLS
- Genome #678: Security audit findings
Reference in New Issue View Git Blame Copy Permalink