This appendix includes hardening and installation procedures for Magento 2 platform on the production environment. All installations of these operating systems and applications must adhere to these requirements.
B.1 UNIX Systems
B.1.1 Ubuntu Installation
The following general install procedures will be followed for all SkillSetz UNIX-based system deployments:
- Install operating system using default hosting provider interface:
- Choose server type and model
- Choose the image of the operating system (currently Ubuntu 20.10)
- Update all operating system software per vendor recommendations.
APT-upgrade is being used for upgrading the packages.
- Configure operating system parameters according to build document (OS hardening).
- Iptables - block all incoming connections except 80(HTTP), 443(HTTPS), 22(SSH), 2121 (FTPS), 2222 (SFTP), 65434-65534 (FTP Passive)
- Disable password authentication for SSH (public key only)
- Install software:
5. Update all application software per vendor recommendations.
- All the packages are fresh during installation.
6. Configure application parameters according to the build document (application hardening).
7. Complete system-specific System Configuration Record (Appendix C) and maintain it on file.
8. Ensure that any user does not have any password that can be used to log in to the system.
9. Ensure that all default users do not have any shell for interaction with the system.
B.2 Server Application
B.2.1 Application Installation
The following general install procedures will be followed for all SkillSetz server application deployments:
- Install necessary software.
- Update application software per vendor recommendations.
- Configure application parameters according to build document (application hardening).
- Update system-specific System Configuration Record (Appendix C) and maintain it on file.
B.4.2 MySQL Database
4.2.1. Installation process.
188.8.131.52. Install repository of mariadb.
184.108.40.206. Install the following packages (using APT):
Note: the root user has to connect to the database instance using UNIX-socket only.
220.127.116.11. Create a database.
18.104.22.168. Create a user (for example, ‘magento’) that has permissions to connect to the database described above.
22.214.171.124.1. Configure database instance:
- Do not accept connections from outside
- (Optional) Accept connections from local network (if multiple servers are used in infrastructure)
126.96.36.199.2. Additional configurations of the database instance have to be calculated before applying.
188.8.131.52. Ensure that service is enabled and will be restarted after reboot or failure etc.
184.108.40.206. Ensure that the user ‘mysql’ does not have a password.
220.127.116.11. Ensure that database user ‘magento’ has a password, that meets the following requirements:
- A minimum password length of at least twelve characters.
- Contain both numeric and alphabetic characters.
- Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
4.3.1. Installation process.
18.104.22.168. Install PHP repositories.
22.214.171.124. Install PHP of magento-compatible version (using APT). Install the PHP-modules that are described at https://devdocs.magento.com/guides/v2.3/install-gde/system-requirements.html. Install PHP-fpm.
126.96.36.199. Ensure that service is enabled and will be restarted after reboot or failure etc.
188.8.131.52. Additional configurations of PHP have to be calculated before applying.
B.4.4 Magento 2
4.4.1. Ensure that passwords of admin users are fresh. (Optional) Configure magento to use password expiration policy.
4.4.2. Configure magento to allow only one active session of any admin user.
4.4.3. Filesystem level:
184.108.40.206. Create users
220.127.116.11. Add ‘magento’ to the group ‘www-data’.
18.104.22.168. Grant sudo rights to ‘builder’.
22.214.171.124. Ensure that no one from the users above has a password.
4.4.4. Additional requirements:
126.96.36.199. A minimum password length of at least seven characters.
188.8.131.52. Contain both numeric and alphabetic characters.
184.108.40.206. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
B.4.5 Nginx Server
4.5.1. Installation process.
220.127.116.11. Install the following packages (using APT):
- Certbot (using snap)
18.104.22.168. Configure the website accessibility using the following parameters:
- Level of access (customer page or admin page)
B.4.6 Redis Server
4.6.1. Installation process:
22.214.171.124. Install the following packages:
126.96.36.199. Download the redis package from https://download.redis.io/releases/redis-5.0.9.tar.gz
188.8.131.52. Unpack, compile and install the package.
184.108.40.206. Create a user named ‘redis’.
4.6.2. Configure Redis:
220.127.116.11 Prepare 2 services that will use sockets for accepting connections:
18.104.22.168. Deny accepting connections from outside.
22.214.171.124. Configure eviction policies.
126.96.36.199. Ensure that services are enabled and will be restarted after reboot or failure etc.
188.8.131.52. Ensure that user ‘redis’ does not have a password.
B.4.7 Elasticsearch Server
4.7.1. Installation process:
184.108.40.206. Download the latest magento-compatible version of elasticsearch.
220.127.116.11. Install elasticsearch.
18.104.22.168. Configure JAVA_OPTS.
22.214.171.124. Ensure that service is enabled and will be restarted after reboot or failure etc.
126.96.36.199. Ensure that user ‘elasticsearch’ does not have a password.