diff --git a/src/pages/docs/installation/index.mdx b/src/pages/docs/installation/index.mdx index 41db640b38..1ab1b54756 100644 --- a/src/pages/docs/installation/index.mdx +++ b/src/pages/docs/installation/index.mdx @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2023-01-01 -modDate: 2024-05-01 +modDate: 2026-06-10 title: Install Octopus Server subtitle: How to install Octopus Server icon: fa-solid fa-server @@ -31,7 +31,7 @@ Relevant ports include: - **Inbound** port 8080: Container Host - service / load balancer to container - **Inbound** port 443/80 (http/https): Windows Host - load balancer to Windows Server - **Inbound** port 10943: Polling tentacles (Octopus Deploy agents) running on application hosts or runners (workers). -- **Inbound** port 8443 (gRPC): Octopus Deploy Argo CD Gateway +- **Inbound** port 8443 (gRPC): Octopus Deploy Argo CD Gateway and Kubernetes Live Object Status - **Outbound** port 10933: Listening tentacles (Octopus Deploy agents) running on application hosts or runners (workers). - **Outbound** port 22 (SSH): For application hosts or runners (workers). diff --git a/src/pages/docs/security/hardening-octopus.mdx b/src/pages/docs/security/hardening-octopus.mdx index 2f2d62f55c..e939b619d7 100644 --- a/src/pages/docs/security/hardening-octopus.mdx +++ b/src/pages/docs/security/hardening-octopus.mdx @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2023-01-01 -modDate: 2023-10-04 +modDate: 2026-06-10 title: Hardening Octopus description: If you are hosting Octopus Deploy yourself, this guide will help you harden your network, host operating system, and Octopus Server itself. This includes things such as configuring malware protection (antivirus), and using allow lists. navOrder: 10 @@ -45,7 +45,7 @@ Depending on your familiarity with Octopus Server, or SQL Server, or networking, ### Upgrade to the latest version -Generally speaking, the latest available version of Octopus Server will be the most secure. You should consider a strategy for keeping Octopus Server updated. We follow a [responsible disclosure policy](#disclosure-policy) so it is possible for you to be aware of any known issues which affect the security and integrity of your Octopus Server. +Generally speaking, the latest available version of Octopus Server will be the most secure. You should consider a strategy for keeping Octopus Server updated. We follow a [responsible disclosure policy](https://octopus.com/security/disclosure) so it is possible for you to be aware of any known issues which affect the security and integrity of your Octopus Server. ### Securely expose your Octopus Server @@ -150,7 +150,7 @@ All communication between Octopus Server and Tentacles is performed over a secur #### Disable SSLv3, TLS 1.0 and 1.1 on Windows \{#disable-weak-tls-protocols-windows} -On Windows, the easiest way to disable weak versions of SSL and TLS are by using a tool like [IISCrypto](https://www.nartac.com/Products/IISCrypto) to change the Windows Registry. +On Windows, the easiest way to disable weak versions of SSL and TLS are by using a tool like [IISCrypto](https://www.nartac.com/Products/IISCrypto) to change the Windows Registry. :::div{.problem} @@ -198,14 +198,14 @@ Once the TLS versions are disabled, reboot your Server and importantly [verify t On Ubuntu `20.04` using OpenSSL `1.1.1f` (the latest at time of writing), you can specify the minimum TLS version to use to be `TLSv1.2` by setting the `MinProtocol` directive in the `/etc/ssl/openssl.cnf` OpenSSL config file: -``` +```text [system_default_sect] MinProtocol = TLSv1.2 ``` On Ubuntu `18.04`, if the `MinProtocol` directive doesn't work, you can try this alternative. When using OpenSSL `1.1.1` (the latest at time of writing), you can specify the available TLS Protocols explicitly in the `/etc/ssl/openssl.cnf` OpenSSL config file: -``` +```text [system_default_sect] Protocol = -SSLv3, -TLSv1, -TLSv1.1, TLSv1.2 ``` @@ -320,10 +320,11 @@ The TCP ports listed below are defaults, and can be changed if required - refer |Name|Type|Source|Target|Allow/Deny|Description| |---|---|---|---|---|---| |HTTP|`TCP 80`|Users|Octopus Server|ALLOW|We recommend only using HTTPS over SSL, however it can be convenient to allow HTTP for the initial connection which is then forced to HTTPS over SSL.| -|HTTPS|`TCP 443`|Users, Polling Tentacles, external services|Octopus Server|ALLOW|Required for HTTPS over SSL. Also required if using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) over [Web Sockets](/docs/infrastructure/deployment-targets/tentacle/windows/polling-tentacles-web-sockets).| +|HTTPS|`TCP 443`|Users, Polling Tentacles, external services|Octopus Server|ALLOW|Required for HTTPS over SSL. Also required for initial Tentacle registration and if using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) over [Web Sockets](/docs/infrastructure/deployment-targets/tentacle/windows/polling-tentacles-web-sockets) or [Polling Tentacles over HTTPS](/docs/infrastructure/deployment-targets/tentacle/polling-tentacles-over-port-443).| |Polling Tentacle|`TCP 10943`|Polling Tentacles|Octopus Server|ALLOW|Required when using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) via TCP as deployment targets or external workers.| |SSH|`TCP 22`|Octopus Server|SSH deployment targets|ALLOW|Allows Octopus Server to securely connect to any SSH deployment targets.| |RDP|`TCP 3389`|Remote Desktop Users|Octopus Server|ALLOW|Allows your system administrators to perform maintenance tasks on your Octopus Server.| +|gRPC|`TCP 8443`|Kubernetes Live Object Status (KLOS)/ArgoCD Gateway|Octopus Server|ALLOW|Required for Kubernetes Live Object Status (KLOS)/ArgoCD Gateway| |All inbound|`ALL`|Anywhere|Octopus Server|DENY|Prevent any other unwanted inbound traffic.| ### Outbound rules @@ -340,19 +341,19 @@ The TCP ports listed below are defaults, and can be changed if required - refer ## Harden your containers -If you run an [Octopus Deploy container](/docs/installation/octopus-server-linux-container), in addition to your usual security measure for running apps out of containers, take the following steps to secure it: +If you run an [Octopus Deploy container](/docs/installation/octopus-server-linux-container), in addition to your usual security measure for running apps out of containers, take the following steps to secure it: -- Move your Docker data directory (the default location is `/var/lib/docker`) so that your containers are stored on a separate partition. +- Move your Docker data directory (the default location is `/var/lib/docker`) so that your containers are stored on a separate partition. - Assign resources carefully: - - Consider pinning CPUs to namespaces in order to give them a boundary. - - Consider the amount of memory required, if you assign too much the container is susceptible to denial of service attacks, but if you assign too little or make use of memory ballooning performance will be impacted. + - Consider pinning CPUs to namespaces in order to give them a boundary. + - Consider the amount of memory required, if you assign too much the container is susceptible to denial of service attacks, but if you assign too little or make use of memory ballooning performance will be impacted. - Consider which containers reside in each network namespace as all processes in a namespace can talk to the namespace interface. The security of your Linux container host and its Docker configuration can be analyzed in detail by using [Docker Bench for Security](https://github.com/docker/docker-bench-security) from the [Center for Internet Security](https://www.cisecurity.org/about-us/). For more generalized advice for your platform they provide their benchmarks as [PDF documents](https://www.cisecurity.org/benchmark/docker/). ## Samples -We have an [Octopus Admin](https://oc.to/OctopusAdminSamplesSpace) Space on our Samples instance of Octopus. You can sign in as `Guest` to take a look at some examples of how we have used Octopus for hardening tasks. +We have an [Octopus Admin](https://oc.to/OctopusAdminSamplesSpace) Space on our Samples instance of Octopus. You can sign in as `Guest` to take a look at some examples of how we have used Octopus for hardening tasks. ## Getting help