search

matrix-org / synapse

Synapse: Matrix homeserver written in Python/Twisted.
https://matrix-org.github.io/synapse
Apache License 2.0
11.81k stars 2.13k forks source link

Prevent Synapse from logging IP addresses - harden Synapse server security #9835

Open githuberyt opened 3 years ago

githuberyt commented 3 years ago

How to prevent synapse from logging IP address or connection logs and is there's a recommended config to harden synapse security ?

anoadragon453 commented 3 years ago

The logging that Synapse produces is controlled by your log config, typically named servername.log.config (or /etc/matrix-synapse/log.yaml for the Debian packages). If you raise your log level from the default INFO to WARN then Processed Request lines will not be logged. However, this will also make your Synapse more difficult to debug if you ever need to, as it will log much less.

There isn't a way to prevent logging IP addresses currently, however you can specifically prevent Processed request ... from being outputted by adding the following to your log config file:

loggers:
    ...
    synapse.http.site:
        # Disable 'Processed request ...' lines
        level: WARN

is there's a recommended config to harden synapse security ?

There is no such document currently, but we certainly wouldn't be opposed to someone creating one.