Web interface security
When IPHost is installed, it provides Web interface to the monitoring setup. One can access reports, as well as start, stop and poll monitors.
By default, HTTP access is configured; it can be changed to HTTPS (see details below).
Whereas this is a useful tool, its default settings may be too public in certain cases. Depending on your monitoring setup, you may want to restrict the above administration functions to your system and network administrators. Please follow the below checklist to ensure the Web interface to your monitoring setup meets your security standards.
Apply the latest IPHost version and configuration settings
Unless you use the latest IPHost release, you might be using out-of-date and possible insecure components (that includes Web server, OpenSSL library, bundled Firebird database server). The first thing you could do is checking you are using the latest IPHost version. Run IPHost GUI client and proceed to “Help > About IPHost Network Monitor…” to get the version of your IPHost installation.
Note that you can subscribe to our low-volume mailing list, to make sure you are notified when a new release is published.
After you made sure you are running the latest IPHost version, proceed to configuring Web interface according to the latest industry security recommendations. You might wish to monitor mentioned Cipherli.st site and Mozilla Wiki page, to make sure you are following the latest recommended settings.
Restrict Web interface to local addresses
Be default, Web interface configuration uses default (primary) network address. Unless the system where IPHost is installed is accessible from intranet only, you might wish to use less public addresses instead of default one.
Start IPHost GUI client, proceed to “Settings > Web Interface” and replace the default value of Host field ($AUTO), e.g., with “localhost” or “127.0.0.1” (or another IP address from 127/8). Depending on ho wmany network interfaces is installed on the system running IPHost, you might also wish to select another IP address). Stop and start monitoring service, to enable the new settings.
Note: in case you need to send IPHost notifications and/or reports to third parties, you might need to let Web interface remain available to them, as well. In such a case, you might need to add HTTP authentication (require user name and password to access Web interface), to keep confidential data secure.
Use authentication (per user access control)
By default, Web interface doesn’t require authentication; anyone capable of connecting to it, can use all the functions available. Since those functions include changing monitors state, you might wish to require authentication, to only allow access on per user basis.
Follow the instructions on corresponding knowledge base page to set up basic HTTP authentication for IPHost Web interface.
Custom Web interface pages
Finally, you can either customize existing Web interface pages, or create arbitrary number of new ones, with styles, content etc. matching your needs.