cedrozor
commented
12 months ago Hi,
FIRST QUESTION Myrtille is a web gateway between the end user and the target server. The difference of using http 80 and https 443 instead of rdp 3389 is that you can add many security layers, such as a reverse proxy, a load balancer, a DMZ (to isolate Myrtille from your internal servers), etc. The login credentials could be sniffed is using http 80 but not if using https 443 (whether the certificate is self-signed or signed by a trusted Certificate Authority).
SECOND QUESTION A self-signed certificate have the same level of security than a trusted one. But because it's not issued by a trusted CA (which is not free), the user have to add a security exception into its browser (basically, to say that the certificate can be trusted). Myrtille enables this by default because the login credentials could be sniffed if using http 80 and I thought it would be better for the user to add a security exception instead of having credentials being at risk. That said, you can disable this feature on Myrtille installation or replace the self-signed certificate by a trusted one afterward. One possible improvement for Myrtille would be to generate/install a let's encrypt certificate (https://letsencrypt.org/) which are trusted and free (they were free for 90 days in the past, but today they seem to be free without any time limitation).
THIRD QUESTION Ports are scanned at all times, so it's better to further secure the standard ones 80 and 443 (routers have built securities for these (DoS and others), but you can also install a reverse proxy (i.e.: nginx, ARR) to filter incoming requests (by IP, geozone, etc.), firewalls, load balancers, DMZ, etc.)
FOURTH QUESTION See above. 2FA is unfortunately no longer working into Myrtille because the 3rd party provider (OASIS) discontinued its services. But I made the code so one could implement an OTP authentication (like Google authenticator), if needed. I would implement it if I had time.
ARE THESE CONFIG USEFUL OR NOT ANYTHING? yes 👍
andreaordonselli
Hello, thank you very much for the published project. I would like to ask a few questions concerning cyber security for connection from remote wan locations, assuming that I am an inexperienced user.
FIRST QUESTION I understood that opening the rdp port 3389 in the router and routing it to the server's ip address is madness for cyber security. What is the difference with opening port 80 or 443 and routing it to the ip address of the server where the Myrtille interface will respond? Especially opening the 80, enter the login credentials in the Myrtille interface could not be sniffed? In theory it shouldn't happen in https with valid certificate right?
SECOND QUESTION I don't understand why installing Myrtille enables, in IIS, binding to port 443 by applying a self-generated certificate which on remote link gives SSL error for invalid certificate. I read on security.stackexchange.com that an https link with an invalid certificate is even worse than a http link with no certificate. Why does Myrtille enable this certificate by default?
THIRD QUESTION Open another port in the router, e.g. 8549 and routing it to port 80 or 443 of the server's IP makes sense to improve cyber security or is it completely useless?
FOURTH QUESTION To improve Myrtille security, the documentation mentions the possibility of activating two-factor authentication. Are there any other simple solutions that can increase the security of remote connection?
PS: I can't have other physical machines besides rdp+myrtille server, I can't install virtual machines, I can only configure routers, firewall rules and install software in this single machine.
ARE THESE CONFIG USEFUL OR NOT ANYTHING? I configured these access rules:
A thousand thanks.