docs: refactor and update security (#1944)

Refactors the secrurity documentation to be up-to-date and conform to our style guidelines. Additionally went over each part and reworded things that needed it.
pull/2051/head
James Elliott 2021-06-01 14:11:33 +10:00 committed by GitHub
parent cef35fadcd
commit 6b3246a6d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 256 additions and 169 deletions

View File

@ -1,22 +1,22 @@
# Security # Security
Authelia takes security very seriously. We follow the rule of Authelia takes security very seriously. We follow the rule of
[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as
encourage the community to as well. well instead of making the vulnerability public. This allows time for the security issue to be patched quickly.
If you discover a vulnerability in Authelia, please first contact one of the maintainers privately If you discover a vulnerability in Authelia, please first contact one of the maintainers privately either via
either via [Matrix](#matrix) or [email](#email) as described in the [contact options](#contact-options) below. [Matrix](#matrix), [Discord](#discord), or [email](#email) as described in the [contact options](#contact-options)
below. We urge you not to disclose the bug publicly at least until we've had a chance to fix it.
For details about security measures implemented in Authelia, please follow For more information about [security](https://www.authelia.com/docs/security/) related matters, please read
this [link](https://www.authelia.com/docs/security/measures.html) and for reading about [the documentation](https://www.authelia.com/docs/security/).
the threat model follow this [link](https://www.authelia.com/docs/security/threat-model.html).
## Contact Options ## Contact Options
### Matrix ### Matrix
Join the [Matrix Room](https://riot.im/app/#/room/#authelia:matrix.org) and locate one of the maintainers. Join the [Matrix Room](https://riot.im/app/#/room/#authelia:matrix.org) and locate one of the maintainers.
You can identify them as they are the room administrators. Alternatively you can just ask for one of the You can identify them as they are the room administrators. Alternatively you can just ask in the channel for one of the
maintainers. Once you've made contact we ask you privately message the maintainer to communicate the vulnerability. maintainers. Once you've made contact we ask you privately message the maintainer to communicate the vulnerability.
### Discord ### Discord
@ -29,5 +29,21 @@ and contact a maintainer.
You can contact any of the maintainers for security vulnerability related issues by emailing You can contact any of the maintainers for security vulnerability related issues by emailing
[security@authelia.com](mailto:security@authelia.com). This email is strictly reserved for security and vulnerability [security@authelia.com](mailto:security@authelia.com). This email is strictly reserved for security and vulnerability
disclosure related matters. If you need to contact us for another reason please use [Matrix](#matrix) or disclosure related matters. If you need to contact us for any other reason please use
[team@authelia.com](mailto:team@authelia.com). [team@authelia.com](mailto:team@authelia.com) or another [contact option](#contact-options).
## Credit
Users who report bugs will optionally be creditted for the discovery. Both in the
[security advisory](https://github.com/authelia/authelia/security/advisories) and in our all contributors configuration.
## Process
1. User privately reports a potential vulnerability.
2. The maintainers review the report and ascertain if additional information is required.
3. The maintainers reproduce the bug.
4. The bug is patched, and if possible the user reporting te bug is given access to a fixed version or git patch.
5. The fix is confirmed to resolve the vulnerability.
6. The fix is released.
7. The [security advisory](https://github.com/authelia/authelia/security/advisories) is published sometime after users
have had a chance to update.

View File

@ -7,28 +7,14 @@ has_children: true
# Security # Security
Authelia takes security very seriously. We follow the rule of Authelia takes security very seriously. We follow the rule of
[responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we encourage the community to as
encourage the community to as well. well.
If you discover a vulnerability in Authelia, please first contact one of the maintainers privately ***Important:*** Please see our [security policy](https://github.com/authelia/authelia/security/policy) if you discover
either via [Matrix](#matrix) or [email](#email) as described in the [contact options](#contact-options) below. a security vulnerability. Our [security policy](https://github.com/authelia/authelia/security/policy) has several
methods of contact and more details about the processes we follow.
For details about security measures implemented in Authelia, please follow For details about security measures implemented in Authelia, please follow this
this [link](https://www.authelia.com/docs/security/measures.html) and for reading about [link](https://www.authelia.com/docs/security/measures.html) and for reading about the threat model follow this
the threat model follow this [link](https://www.authelia.com/docs/security/threat-model.html). [link](https://www.authelia.com/docs/security/threat-model.html).
## Contact Options
### Matrix
Join the [Matrix Room](https://riot.im/app/#/room/#authelia:matrix.org) and locate one of the maintainers.
You can identify them as they are the room administrators. Alternatively you can just ask for one of the
maintainers. Once you've made contact we ask you privately message the maintainer to communicate the vulnerability.
### Email
You can contact any of the maintainers for security vulnerability related issues by emailing
[security@authelia.com](mailto:security@authelia.com). This email is strictly reserved for security and vulnerability
disclosure related matters. If you need to contact us for another reason please use [Matrix](#matrix) or
[team@authelia.com](mailto:security@authelia.com).

View File

@ -19,132 +19,148 @@ Read about these attributes in detail on the
## Protection against multi-domain cookie attacks ## Protection against multi-domain cookie attacks
Since Authelia uses multi-domain cookies to perform single sign-on, an Since Authelia uses multi-domain cookies to perform single sign-on, an attacker who poisoned a user's DNS cache can
attacker who poisoned a user's DNS cache can easily retrieve the user's easily retrieve the user's cookies by making the user send a request to one of the attacker's IPs.
cookies by making the user send a request to one of the attacker's IPs.
To mitigate this risk, it's advisable to only use HTTPS connections with valid This is technically mitigated by the `Secure` attribute set in cookies by Authelia, however it's still advisable to
certificates and enforce it with HTTP Strict Transport Security ([HSTS]) so only use HTTPS connections with valid certificates and enforce it with HTTP Strict Transport Security ([HSTS]) which
that the attacker must also require the certificate to retrieve the cookies. will prevent domains from serving over HTTP at all as long as the user has visited the domain before. This means even
if the attacker poisons DNS they are unable to get modern browsers to connect to a compromised host unless they can also
obtain the certificate.
Note that using [HSTS] has consequences. That's why you should read the blog Note that using [HSTS] has consequences. That's why you should read the blog post nginx has written on [HSTS].
post nginx has written on [HSTS].
## Protection against username enumeration ## Protection against username enumeration
Authelia adaptively delays authentication attempts based on the mean (average) of the Authelia adaptively delays authentication attempts based on the mean (average) of the previous 10 successful attempts
previous 10 successful attempts, and a small random interval to make it even harder to in addition to a small random interval of time. The result of this delay is that it makes it incredibly difficult to
determine if the attempt was successful. On start it is assumed that the last 10 attempts determine if the unsuccessful login was the result of a bad password, a bad username, or both. The random interval of
took 1000ms, this quickly grows or shrinks to the correct value over time regardless of the time is anything between 0 milliseconds and 85 milliseconds.
authentication backend.
The cost of this is low since in the instance of a user not existing it just sleeps to delay When Authelia first starts it assumes the last 10 attempts took 1000 milliseconds each. As users login successfully it
the login. Lastly the absolute minimum time authentication can take is 250ms. Both of these measures quickly adjusts to the actual time the login attempts take. This process is independent of the login backend you have
also have the added effect of creating an additional delay for all authentication attempts reducing configured.
the likelihood a password can be brute-forced even if regulation settings are too permissive.
The cost of this is low since in the instance of a user not existing it just stops processing the request to delay the
login. Lastly the absolute minimum time authentication can take is 250 milliseconds. Both of these measures also have
the added effect of creating an additional delay for all authentication attempts increasing the time that a brute-force
attack will take, this combined with regulation greatly delays brute-force attacks and the effectiveness of them in
general.
## Protections against password cracking (File authentication provider) ## Protections against password cracking (File authentication provider)
Authelia implements a variety of measures to prevent an attacker cracking passwords if they Authelia implements a variety of measures to prevent an attacker cracking passwords if they somehow obtain the file used
somehow obtain the file used by the file authentication provider, this is unrelated to LDAP auth. by the file authentication provider, this is unrelated to LDAP auth.
First and foremost Authelia only uses very secure hashing algorithms with sane and secure defaults. First and foremost Authelia only uses very secure hashing algorithms with sane and secure defaults. The first and
The first and default hashing algorithm we use is Argon2id which is currently considered default hashing algorithm we use is Argon2id which is currently considered the most secure hashing algorithm. We also
the most secure hashing algorithm. We also support SHA512, which previously was the default. support SHA512, which previously was the default.
Secondly Authelia uses salting with all hashing algorithms. These salts are generated with a random Secondly Authelia uses salting with all hashing algorithms. These salts are generated with a random string generator,
string generator, which is seeded every time it's used by a cryptographically secure 1024bit prime number. which is seeded every time it's used by a cryptographically secure 1024bit prime number. This ensures that even if an
This ensures that even if an attacker obtains the file, each password has to be brute forced individually. attacker obtains the file, each password has to be brute forced individually.
Lastly Authelia's implementation of Argon2id is highly tunable. You can tune the key length, salt Lastly Authelia's implementation of Argon2id is highly tunable. You can tune the key length, salt used, iterations
used, iterations (time), parallelism, and memory usage. To read more about this please read how to (time), parallelism, and memory usage. To read more about this please read how to
[configure](../configuration/authentication/file.md) file authentication. [configure](../configuration/authentication/file.md) file authentication.
## User profile and group membership always kept up-to-date (LDAP authentication provider) ## User profile and group membership always kept up-to-date (LDAP authentication provider)
Authelia by default refreshes the user's profile and membership every 5 minutes. Additionally, it This measure is unrelated to the File authentication provider.
will invalidate any session where the user could not be retrieved from LDAP based on the user filter, for
example if they were deleted or disabled provided the user filter is set correctly. These updates occur when
a user accesses a resource protected by Authelia.
These protections can be [tuned](../configuration/authentication/ldap.md) according to your security policy Authelia by default refreshes the user's profile and membership every 5 minutes. This ensures that if you alter a users
by changing refresh_interval, however we believe that 5 minutes is a fairly safe interval. groups in LDAP that their new groups are obtained relatively quickly in order to adjust their access level for
applications secured by Authelia.
Additionally, it will invalidate any session where the user could not be retrieved from LDAP based on the user filter,
for example if they were deleted or disabled provided the user filter is set correctly. These updates occur when a user
accesses a resource protected by Authelia. This means you should ensure disabled users or users with expired passwords
are not obtainable using the LDAP filter, the default filter for Active Directory implements this behaviour.
LDAP implementations vary, so please ask if you need some assistance in configuring this.
These protections can be [tuned](../configuration/authentication/ldap.md#refresh-interval) according to your security
policy by changing refresh_interval, however we believe that 5 minutes is a fairly safe interval.
## Notifier security measures (SMTP) ## Notifier security measures (SMTP)
By default the SMTP Notifier implementation does not allow connections that are not secure. The SMTP Notifier implementation does not allow connections that are not secure without changing default configuration
As such all connections require the following: values.
As such all SMTP connections require the following:
1. TLS Connection (STARTTLS or SMTPS) has been negotiated before authentication or sending emails (unauthenticated 1. TLS Connection (STARTTLS or SMTPS) has been negotiated before authentication or sending emails (unauthenticated
connections require it as well) connections require it as well)
2. Valid X509 Certificate presented to the client during the TLS handshake 2. Valid X509 Certificate presented to the client during the TLS handshake
There is an option to disable both of these security measures however they are There is an option to disable both of these security measures however they are **not recommended**.
not recommended. You should only do this in a situation where you control all
networks between Authelia and the SMTP server. The following configuration options
exist to configure the security level:
### SMTPS vs STARTTLS The following configuration options exist to configure the security level in order of most preferable to least
preferable:
By default all connections start as plain text and are upgraded via STARTTLS. SMTPS is supported, however due to the ### Configuration Option: certificates_directory
fact it was basically considered deprecated before the turn of the century, there is no way to configure it. It happens
automatically when a SMTP notifier is configured with the SMTPS port of 465.
### Configuration Option: disable_verify_cert You can [configure a directory](../configuration/miscellaneous.md#certificates_directory) of certificates for Authelia
to trust. These certificates can either be CA's or individual public certificates that should be trusted. These
are added in addition to the environments PKI trusted certificates if available. This is useful for trusting a
certificate that is self-signed without drastically reducing security. This is the most recommended workaround to not
having a valid PKI trusted certificate as it gives you complete control over which ones are trusted without disabling
critically needed validation of the identity of the target service.
This is a YAML boolean type (true/false, y/n, 1/0, etc). This disables the X509 PKI Read more in the [documentation](../configuration/miscellaneous.md#certificates_directory) for this option.
verification mechanism. We recommend using the trusted_cert option over this, as
disabling this security feature makes you vulnerable to MITM attacks. ### Configuration Option: tls.skip_verify
The [tls.skip_verify](../configuration/notifier/smtp.md#tls) option allows you to skip verifying the certificate
entirely which is why [certificates_directory](#configuration-option-certificates_directory) is preferred over this.
This will effectively mean you cannot be sure the certificate is valid which means an attacker via DNS poisoning or MITM
attacks could intercept emails from Authelia compromising a user's security without their knowledge.
### Configuration Option: disable_require_tls ### Configuration Option: disable_require_tls
This is a YAML boolean type (true/false, y/n, 1/0, etc). This disables the Authelia by default ensures that the SMTP server connection is secured via STARTTLS or SMTPS prior to sending sensitive
requirement that all connections must be over TLS. This is only usable currently information. The [disable_require_tls](../configuration/notifier/smtp.md#disable_require_tls) disables this requirement
with authentication disabled (comment the password) and as such is only an which means the emails are sent in plain text. This is the least secure option as it effectively removes the validation
option for SMTP servers that allow unauthenticated relay (bad practice). of SMTP certificates and removes the encryption offered by the STARTTLS/SMTPS connection all together.
### Configuration Option: trusted_cert This means not only can the vulnerabilities of the [skip_verify](#configuration-option-tlsskip_verify) option be
exploited, but any router or switch along the route of the email which receives the packets could be used to silently
exploit the plain text nature of the email. This is only usable currently with authentication disabled (comment out the
password) and as such is only an option for SMTP servers that allow unauthenticated relay (bad practice).
This is a YAML string type. This specifies the file location of a pub certificate ### SMTPS vs STARTTLS
that can be used to validate the authenticity of a server with a self signed
certificate. This can either be the public cert of the certificate authority
used to sign the certificate or the public key itself. They must be in the PEM
format. The certificate is added in addition to the certificates trusted by the
host machine. If the certificate is invalid, inaccessible, or is otherwise not
configured; Authelia just uses the hosts certificates.
### Explanation All connections start as plain text and are upgraded via STARTTLS. SMTPS is an exception to this rule where the
There are a few reasons for the security measures implemented: connection is over TLS. As SMTPS is deprecated, the only way to configure this is to set the SMTP
1. Transmitting username's and passwords over plain-text is an obvious vulnerability [port](../configuration/notifier/smtp.md#port) to the officially recognized SMTPS port of 465 which will cause Authelia
2. The emails generated by Authelia, if transmitted in plain-text could allow to automatically consider it to be a SMTPS connection. As such your SMTP server, if not offering SMTPS, should not be
an attacker to intercept a link used to setup 2FA; which reduces security listening on port 465 which is bad practice anyway.
3. Not validating the identity of the server allows man-in-the-middle attacks
## Additional security ## Additional security
### Reset Password ### Reset Password
It's possible to disable the reset password functionality and is recommended for anyone It's possible to disable the reset password functionality and is an optional adjustment to consider for anyone wanting
wanting to increase security. See the [configuration](../configuration/authentication/index.md) to increase security. See the [configuration](../configuration/authentication/index.md#disable_reset_password) for more
for information. information.
### Session security ### Session security
We have a few options to configure the security of a session. The main and most important We have a few options to configure the security of a session. The main and most important one is the session secret.
one is the session secret. This is used to encrypt the session data when when stored in the This is used to encrypt the session data when it is stored in the [Redis](../configuration/session/redis.md) key value
Redis key value database. This should be as random as possible. database. The value of this option should be long and as random as possible. See more in the
[documentation](../configuration/session/index.md#secret) for this option.
Additionally you can configure the validity period of sessions. For example in a highly The validity period of session is highly configurable. For example in a highly security conscious domain you could
security conscious domain you would probably want to set the session remember_me_duration set the session [remember_me_duration](../configuration/session/index.md#remember_me_duration) to 0 to disable this
to 0 to disable this feature, and set an expiration of something like 2 hours and inactivity feature, and set the [expiration](../configuration/session/index.md#expiration) to 2 hours and the
of 10 minutes. This means the hard limit or the time the session will be destroyed no matter [inactivity](../configuration/session/index.md#inactivity) of 10 minutes. Configuring the session security in this
what is 2 hours, and the soft limit or the time a user can be inactive for is 10 minutes. manner would mean if the cookie age was more than 2 hours or if the user was inactive for more than 10 minutes the
session would be destroyed.
### Additional proxy protection measures ### Additional proxy protection measures
You can also apply the following headers to your proxy configuration for You can also apply the following headers to your proxy configuration for improving security. Please read the
improving security. Please read the documentation of those headers before relevant documentation for these headers before applying them blindly.
applying them blindly.
#### nginx #### nginx
@ -215,11 +231,13 @@ services:
### More protections measures with fail2ban ### More protections measures with fail2ban
If you are running fail2ban, adding a filter and jail for Authelia can reduce load on the application / web server. Fail2ban will ban IPs exceeding a threshold of repeated failed logins at the firewall level of your host. If you are running fail2ban, adding a filter and jail for Authelia can reduce load on the application / web server.
Fail2ban will ban IPs exceeding a threshold of repeated failed logins at the firewall level of your host. If you are
using Docker, the Authelia log file location has to be mounted from the host system to the container for
fail2ban to access it.
If you are using Docker, the Authelia log file location has to be mounted from the host system to the container for fail2ban to access it. Create a configuration file in the `filter.d` folder with the content below. In Debian-based systems the folder is
typically located at `/etc/fail2ban/filter.d`.
Create a configuration file in the `filter.d` folder with the content below. In Debian-based systems the folder is typically located at `/etc/fail2ban/filter.d`.
``` ```
# Fail2Ban filter for Authelia # Fail2Ban filter for Authelia
@ -229,7 +247,7 @@ Create a configuration file in the `filter.d` folder with the content below. In
# (it is misleading: usually, this is the purpose of this header). # (it is misleading: usually, this is the purpose of this header).
# the failregex rule counts every failed login (wrong username or password) and failed TOTP entry as a failure # the failregex rule counts every failed login (wrong username or password) and failed TOTP entry as a failure
# the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as level=error by Authelia # the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors
[Definition] [Definition]
failregex = ^.*Error while checking password for.*remote_ip=<HOST> stack.* failregex = ^.*Error while checking password for.*remote_ip=<HOST> stack.*
@ -241,8 +259,10 @@ ignoreregex = ^.*level=debug.*
^.*level=warning.* ^.*level=warning.*
``` ```
Modify the `jail.local` file. In Debian-based systems the folder is typically located at `/etc/fail2ban/`. If the file does not exist, create it by copying the jail.conf `cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local`. Modify the `jail.local` file. In Debian-based systems the folder is typically located at `/etc/fail2ban/`. If the file
Add an Authelia entry to the "Jails" section of the file: does not exist, create it by copying the jail.conf `cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local`. Add an
Authelia entry to the "Jails" section of the file:
``` ```
[authelia] [authelia]
enabled = true enabled = true
@ -254,55 +274,89 @@ bantime = 1d
findtime = 1d findtime = 1d
chain = DOCKER-USER chain = DOCKER-USER
``` ```
If you are not using Docker remove the the line "chain = DOCKER-USER"
Finally, restart the fail2ban service. If you are not using Docker remove the line "chain = DOCKER-USER". You will need to restart the fail2ban service for the
changes to take effect.
## Container privilege de-escalation ## Container privilege de-escalation
Authelia will run as root by default, there are two options to run as a non-root user. The first option is to use the Authelia will run as the root user and group by default, there are two options available to run as a non-root user and
Docker `--user` option on the command line or in docker-compose. The second option is to use the `PUID` and `PGID` group.
environment variables. An added benefit of using the environment variables is the mounted volumes ownership will automatically
be changed for you.
### Docker user option It is recommended which ever approach you take that to secure the sensitive files Authelia requires access to that you
make sure the chmod of the files does not inadvertently allow read access to the files by users who do not need access
to them.
With the Docker `--user` option, Docker will ensure Authelia is running as the user id and group id you specify. Examples:
In order to use this option, you will need to mount the `/config` volume to a directory on the host and set
the owner and group of that directory to the same user you supplied to docker. Running Authelia with `--user`
without mounting a volume to `/config` or incorrectly setting the host systems directory owner will cause Authelia
to exit immediately. The docker `--user` option will take precedence over the environment variables.
On the command line, you would create your Authelia data directory, change ownership to your non-root user If you wanted to run Authelia as UID 8000, and wanted the GID of 9000 to also have read access to the files
and run Authelia with `--user` set: you might do the following assuming the files were in the relative path `.data/authelia`:
```
mkdir /authelia ```shell
chown user:group /authelia chown -r 8000:9000 .data/authelia
docker run --user user:group -v /authelia:/config authelia/authelia:latest find .data/authelia/ -type d -exec chmod 750 {} \;
find .data/authelia/ -type f -exec chmod 640 {} \;
``` ```
As a docker-compose.yml file: If you wanted to run Authelia as UID 8000, and wanted the GID of 9000 to also have write access to the files
you might do the following assuming the files were in the relative path `.data/authelia`:
```shell
chown -r 8000:9000 .data/authelia
find .data/authelia/ -type d -exec chmod 770 {} \;
find .data/authelia/ -type f -exec chmod 660 {} \;
```
### Docker user directive
The docker user directive allows you to configure the user the entrypoint runs as. This is generally the most secure
option for containers as no process accessible to the container ever runs as root which prevents a compromised container
from exploiting unnecessary privileges.
The directive can either be applied in your `docker run` command using the `--user` argument or by
the docker-compose `user:` key. The examples below assume you'd like to run the container as UID 8000 and GID 9000.
Example for the docker CLI:
```shell
docker run --user 8000:9000 -v /authelia:/config authelia/authelia:latest
```
Example for docker-compose:
``` ```
version: '3.8' version: '3.8'
services: services:
authelia: authelia:
image: authelia/authelia image: authelia/authelia
container_name: authelia container_name: authelia
user: 1000:1000 user: 8000:9000
volumes: volumes:
- ./authelia:/config - ./authelia:/config
``` ```
### PUID/PGID environment variables Running the container in this way requires that you manually adjust the file owner at the very least as described above.
If you do not do so it will likely cause Authelia to exit immediately. This option takes precedence over the PUID and
PGID environment variables below, so if you use it then changing the PUID and PGID have zero effect.
If you choose to use the environment variables, the correct ownership will be applied automatically on startup of ### PUID/PGID environment variables using the entrypoint
the container, so there's no need to `chown` before running, to use this on the command line use the following:
``` The second option is to use the `PUID` and `PGID` environment variables. When the container entrypoint is executed
docker run -e PUID=1000 -e PGID=1000 -v /authelia:/config authelia:authelia:latest as root, the entrypoint automatically runs the Authelia process as this user. An added benefit of using the environment
variables is the mounted volumes ownership will automatically be changed for you. It is still recommended that
you run the find chmod examples above in order to secure the files even further especially on servers multiple people
have access to.
The examples below assume you'd like to run the container as UID 8000 and GID 9000.
Example for the docker CLI:
```shell
docker run -e PUID=1000 -e PGID=1000 -v /authelia:/config authelia/authelia:latest
``` ```
As a docker-compose.yml file: Example for docker-compose:
``` ```
version: '3.8' version: '3.8'
services: services:
@ -316,5 +370,4 @@ services:
- ./authelia:/config - ./authelia:/config
``` ```
[HSTS]: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
[HSTS]: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

View File

@ -8,44 +8,76 @@ nav_order: 2
# Threat Model # Threat Model
The design goals for Authelia is to protect access to applications by collaborating with reverse proxies to prevent The design goals for Authelia is to protect access to applications by collaborating with reverse proxies to prevent
attacks coming from the edge of the network. This document gives an overview of what Authelia is protecting against but some attacks coming from the edge of the network. This document gives an overview of what Authelia is protecting against.
of those points are also detailed in [Security Measures](./measures.md). Some of these ideas are expanded on or otherwise described in [Security Measures](./measures.md).
## General assumptions ## General assumptions
Authelia is considered to be running within a trusted network and it heavily relies on the first level of security provided by reverse proxies. It's very important that you take time configuring your reverse proxy properly to get all the authentication benefits brought by Authelia. Authelia is considered to be running within a trusted network and it heavily relies on the first level of security
Some general security tweaks are listed in [Security Measures](./measures.md) to give you some ideas. provided by reverse proxies. It's very important that you take time configuring your reverse proxy properly to get all
the authentication benefits brought by Authelia.
Some general security tweaks are listed in [Security Measures](./measures.md#additional-proxy-protection-measures) to
give you some ideas.
## Guarantees ## Guarantees
If properly configured, Authelia guarantees the following for security of your users and your apps: If properly configured, Authelia guarantees the following for security of your users and your apps:
* Applications cannot be accessed without proper authorization. The access control list is highly configurable allowing administrators to guarantee least privilege principle. * Applications cannot be accessed without proper authorization. The access control list is highly configurable allowing
* Applications can be protected with two factors in order to fight against credentials theft and protect highly sensitive data or operations. administrators to guarantee the least privilege principle.
* Sessions are bound in time, limiting the impact of a cookie theft. Sessions can have both soft and hard limits. With soft limit, the user is logged out when inactive for a certain period. With hard limit, the user has to authenticate again after a certain period, whether they were active or not. * Applications can be protected with two-factor authentication in order to fight against credential theft and protect
* Brute force attacks against credentials are protected thanks to a regulation mechanism temporarily blocking the user account after too many attempts. highly sensitive data or operations.
* Identity validation is required for performing administrative actions such as registering 2FA devices, preventing attackers to pass second factor by auto-registering their own 2FA device. An email with a link is sent to the user and a click is required to confirm the action. * Sessions are bound in time, limiting the impact of a cookie theft. Sessions can have both soft and hard expiration
time limits. With the soft limit, the user is logged out when inactive for a certain period of time. With the hard
limit, the user has to authenticate again after a certain period of time, whether they were active or not.
* Brute force attacks against credentials are protected thanks to a regulation mechanism temporarily blocking the user
account after too many attempts and delays to the authentication process.
* Identity validation is required for performing administrative actions such as registering 2FA devices, preventing
attackers to pass two-factor authentication by self-registering their own device. An email with a link is sent to the
user with a link providing them access to the registration flow which can only be opened by a single session.
* Prevention against session fixation by regenerating a new session after each privilege elevation. * Prevention against session fixation by regenerating a new session after each privilege elevation.
* Prevention against LDAP injection by following OWASP recommendations regarding valid input characters (https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html). * Prevention against LDAP injection by following
* Connections between Authelia and thirdparty components like mail server, database, cache and LDAP server can be made over TLS to protect against man-in-the-middle attacks from within the infrastructure. [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html)
* Validation of user session group memberships gets refreshed regularly from the authentication backend (LDAP only). regarding valid input characters.
* Connections between Authelia and third-party components like the SMTP server, database, session cache, and LDAP server
can be made over TLS to mitigate against man-in-the-middle attacks.
* Validation of user group memberships gets refreshed regularly from the authentication backend (LDAP only).
## Potential future guarantees ## Potential future guarantees
* Define and enforce a password policy (to be designed since such a policy can clash with a policy set by the LDAP server). * Define and enforce a password policy (to be designed since such a policy can clash with a policy set by the LDAP
server).
* Detect credential theft and prevent malicious actions. * Detect credential theft and prevent malicious actions.
* Detect session cookie theft and prevent malicious actions. * Detect session cookie theft and prevent malicious actions.
* Authenticate communications between Authelia and reverse proxy. * Binding session cookies to single IP addresses.
* Authenticate communication between Authelia and reverse proxy.
* Securely transmit authentication data to backends (OAuth2 with bearer tokens). * Securely transmit authentication data to backends (OAuth2 with bearer tokens).
* Protect secrets stored in DB with encryption to prevent secrets leak by DB exfiltration. * Protect secrets stored in the database with encryption to prevent secrets leak by database exfiltration.
* Least privilege on LDAP binding operations (currently administrative user is used to bind while it could be anonymous). * Least privilege on LDAP binding operations (currently administrative user is used to bind while it could be anonymous
for most operations).
* Extend the check of user group memberships to authentication backends other than LDAP (File currently). * Extend the check of user group memberships to authentication backends other than LDAP (File currently).
* Invalidate user session after profile or membership has changed in order to drop remaining privileges on the fly. * Allow administrators to configure policies regarding password resets so a compromised email account does not leave
accounts vulnerable.
* Allow users to view their active and past sessions to either destroy them, report malicious activity to the
administrator, or both.
* Allow administrators to temporarily restrict users that are suspected of being compromised no matter which backend is
being used.
* Log comprehensive information about user sessions so administrators can identify malicious activity and potential
consequences or damage caused by identified malicious activity.
* Ensure the X-Forwarded-* and X-Original-* headers are able to be trusted by allowing configuration of trusted proxy
servers.
## Trusted environment ## Trusted environment
It's important to note that Authelia is considered running in a trusted environment for two reasons It's important to note that Authelia is considered running in a trusted environment for two reasons:
1. Requests coming to Authelia should be initiated by reverse proxies but CAN be initiated by any other server currently. There is no trusted relationship between Authelia and the reverse proxy so an attacker within the network could abuse Authelia and attack it. 1. Requests coming to Authelia should be initiated by reverse proxies but CAN be initiated by any other server
2. Your environment should be considered trusted especially if you're using the `Remote-User`, `Remote-Name`, `Remote-Email` and `Remote-Groups` headers to forward authentication data to your backends. These headers are transmitted plain and unsigned to the backends, meaning a malicious user within the network could pretend to be Authelia and send those headers to bypass authentication and gain access to the service. A mitigation could be to transmit those headers with a digital signature which could be verified by the backend however, many backends just don't support it. It has therefore been decided to invest on OpenID Connect instead to solve that authentication delegation problem. Indeed, many backends currently. There is no trusted relationship between Authelia and the reverse proxy so an attacker within the network
do support OAuth2 though since it has become a standard lately. could abuse Authelia and attack it.
2. Your environment should be considered trusted especially if you're using the `Remote-User`, `Remote-Name`,
`Remote-Email` and `Remote-Groups` headers to forward authentication data to your backends. These headers are
transmitted unsigned to the backends, meaning a malicious user within the network could pretend to be
Authelia and send those headers to bypass authentication and gain access to the service. This could be mitigated by
transmitting those headers with a digital signature which could be verified by the backend however, many backends
just won't support it. It has therefore been decided to invest in OpenID Connect instead to solve that authentication
delegation problem.