From 5186d91f3324f1f14b46c75d2e6ff82f05f32cb4 Mon Sep 17 00:00:00 2001 From: Britton Riggs <104870596+briggs-octo@users.noreply.github.com> Date: Wed, 10 Jun 2026 09:06:51 -0700 Subject: [PATCH 01/10] Adding gRPC port to inbound port table --- src/pages/docs/security/hardening-octopus.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/src/pages/docs/security/hardening-octopus.mdx b/src/pages/docs/security/hardening-octopus.mdx index 2f2d62f55c..33dc88103f 100644 --- a/src/pages/docs/security/hardening-octopus.mdx +++ b/src/pages/docs/security/hardening-octopus.mdx @@ -324,6 +324,7 @@ The TCP ports listed below are defaults, and can be changed if required - refer |Polling Tentacle|`TCP 10943`|Polling Tentacles|Octopus Server|ALLOW|Required when using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) via TCP as deployment targets or external workers.| |SSH|`TCP 22`|Octopus Server|SSH deployment targets|ALLOW|Allows Octopus Server to securely connect to any SSH deployment targets.| |RDP|`TCP 3389`|Remote Desktop Users|Octopus Server|ALLOW|Allows your system administrators to perform maintenance tasks on your Octopus Server.| +|gRPC|`TCP 8443`|Kubernetes Live Object Status (KLOS)/ArgoCD Gateway|Octopus Server|ALLOW|Required for Kubernetes Live Object Status (KLOS)/ArgoCD Gateway| |All inbound|`ALL`|Anywhere|Octopus Server|DENY|Prevent any other unwanted inbound traffic.| ### Outbound rules From bb7b52592f0b7d7a7d592384c4d9e7fafb61235d Mon Sep 17 00:00:00 2001 From: Britton Riggs <104870596+briggs-octo@users.noreply.github.com> Date: Wed, 10 Jun 2026 09:19:37 -0700 Subject: [PATCH 02/10] Adding initial Tentacle registration note to table for port 443 --- src/pages/docs/security/hardening-octopus.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/security/hardening-octopus.mdx b/src/pages/docs/security/hardening-octopus.mdx index 33dc88103f..48d77a5a60 100644 --- a/src/pages/docs/security/hardening-octopus.mdx +++ b/src/pages/docs/security/hardening-octopus.mdx @@ -320,7 +320,7 @@ The TCP ports listed below are defaults, and can be changed if required - refer |Name|Type|Source|Target|Allow/Deny|Description| |---|---|---|---|---|---| |HTTP|`TCP 80`|Users|Octopus Server|ALLOW|We recommend only using HTTPS over SSL, however it can be convenient to allow HTTP for the initial connection which is then forced to HTTPS over SSL.| -|HTTPS|`TCP 443`|Users, Polling Tentacles, external services|Octopus Server|ALLOW|Required for HTTPS over SSL. Also required if using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) over [Web Sockets](/docs/infrastructure/deployment-targets/tentacle/windows/polling-tentacles-web-sockets).| +|HTTPS|`TCP 443`|Users, Polling Tentacles, external services|Octopus Server|ALLOW|Required for HTTPS over SSL. Also required for initial Tentacle registration and if using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) over [Web Sockets](/docs/infrastructure/deployment-targets/tentacle/windows/polling-tentacles-web-sockets).| |Polling Tentacle|`TCP 10943`|Polling Tentacles|Octopus Server|ALLOW|Required when using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) via TCP as deployment targets or external workers.| |SSH|`TCP 22`|Octopus Server|SSH deployment targets|ALLOW|Allows Octopus Server to securely connect to any SSH deployment targets.| |RDP|`TCP 3389`|Remote Desktop Users|Octopus Server|ALLOW|Allows your system administrators to perform maintenance tasks on your Octopus Server.| From cf7742686547ab9f7da0c5b7bff513658ad23ba3 Mon Sep 17 00:00:00 2001 From: Britton Riggs <104870596+briggs-octo@users.noreply.github.com> Date: Wed, 10 Jun 2026 09:27:20 -0700 Subject: [PATCH 03/10] Adding Polling Tentacles over HTTPS to HTTPS/port 443 row --- src/pages/docs/security/hardening-octopus.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/security/hardening-octopus.mdx b/src/pages/docs/security/hardening-octopus.mdx index 48d77a5a60..d483bea1ab 100644 --- a/src/pages/docs/security/hardening-octopus.mdx +++ b/src/pages/docs/security/hardening-octopus.mdx @@ -320,7 +320,7 @@ The TCP ports listed below are defaults, and can be changed if required - refer |Name|Type|Source|Target|Allow/Deny|Description| |---|---|---|---|---|---| |HTTP|`TCP 80`|Users|Octopus Server|ALLOW|We recommend only using HTTPS over SSL, however it can be convenient to allow HTTP for the initial connection which is then forced to HTTPS over SSL.| -|HTTPS|`TCP 443`|Users, Polling Tentacles, external services|Octopus Server|ALLOW|Required for HTTPS over SSL. Also required for initial Tentacle registration and if using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) over [Web Sockets](/docs/infrastructure/deployment-targets/tentacle/windows/polling-tentacles-web-sockets).| +|HTTPS|`TCP 443`|Users, Polling Tentacles, external services|Octopus Server|ALLOW|Required for HTTPS over SSL. Also required for initial Tentacle registration and if using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) over [Web Sockets](/docs/infrastructure/deployment-targets/tentacle/windows/polling-tentacles-web-sockets) or [Polling Tentacles over HTTPS](/docs/infrastructure/deployment-targets/tentacle/polling-tentacles-over-port-443).| |Polling Tentacle|`TCP 10943`|Polling Tentacles|Octopus Server|ALLOW|Required when using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) via TCP as deployment targets or external workers.| |SSH|`TCP 22`|Octopus Server|SSH deployment targets|ALLOW|Allows Octopus Server to securely connect to any SSH deployment targets.| |RDP|`TCP 3389`|Remote Desktop Users|Octopus Server|ALLOW|Allows your system administrators to perform maintenance tasks on your Octopus Server.| From 5140aec60a00005679f23d0c82b39db603b774ff Mon Sep 17 00:00:00 2001 From: Britton Riggs <104870596+briggs-octo@users.noreply.github.com> Date: Wed, 10 Jun 2026 09:29:06 -0700 Subject: [PATCH 04/10] Adding KLOS to installation components ports section --- src/pages/docs/installation/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/installation/index.mdx b/src/pages/docs/installation/index.mdx index 41db640b38..f8c36bd2d6 100644 --- a/src/pages/docs/installation/index.mdx +++ b/src/pages/docs/installation/index.mdx @@ -31,7 +31,7 @@ Relevant ports include: - **Inbound** port 8080: Container Host - service / load balancer to container - **Inbound** port 443/80 (http/https): Windows Host - load balancer to Windows Server - **Inbound** port 10943: Polling tentacles (Octopus Deploy agents) running on application hosts or runners (workers). -- **Inbound** port 8443 (gRPC): Octopus Deploy Argo CD Gateway +- **Inbound** port 8443 (gRPC): Octopus Deploy Argo CD Gateway and Kubernetes Live Object Status (KLOS) - **Outbound** port 10933: Listening tentacles (Octopus Deploy agents) running on application hosts or runners (workers). - **Outbound** port 22 (SSH): For application hosts or runners (workers). From 613ca8f5aa62e8c19b9e07202dd3ae82a0d7a2c1 Mon Sep 17 00:00:00 2001 From: Britton Riggs <104870596+briggs-octo@users.noreply.github.com> Date: Wed, 10 Jun 2026 10:05:08 -0700 Subject: [PATCH 05/10] Update mod date --- src/pages/docs/installation/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/installation/index.mdx b/src/pages/docs/installation/index.mdx index f8c36bd2d6..0c38f20055 100644 --- a/src/pages/docs/installation/index.mdx +++ b/src/pages/docs/installation/index.mdx @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2023-01-01 -modDate: 2024-05-01 +modDate: 2026-06-10 title: Install Octopus Server subtitle: How to install Octopus Server icon: fa-solid fa-server From 5990ca5fb5f53ab7442fdc5e6d0d1f023ea354f4 Mon Sep 17 00:00:00 2001 From: Britton Riggs <104870596+briggs-octo@users.noreply.github.com> Date: Wed, 10 Jun 2026 10:05:43 -0700 Subject: [PATCH 06/10] Updating mod date --- src/pages/docs/security/hardening-octopus.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/security/hardening-octopus.mdx b/src/pages/docs/security/hardening-octopus.mdx index d483bea1ab..70aab8e6ba 100644 --- a/src/pages/docs/security/hardening-octopus.mdx +++ b/src/pages/docs/security/hardening-octopus.mdx @@ -1,7 +1,7 @@ --- layout: src/layouts/Default.astro pubDate: 2023-01-01 -modDate: 2023-10-04 +modDate: 2026-06-10 title: Hardening Octopus description: If you are hosting Octopus Deploy yourself, this guide will help you harden your network, host operating system, and Octopus Server itself. This includes things such as configuring malware protection (antivirus), and using allow lists. navOrder: 10 From 0240b13cd353d2e976b2c8b5757cb65cc385054a Mon Sep 17 00:00:00 2001 From: Britton Riggs <104870596+briggs-octo@users.noreply.github.com> Date: Thu, 11 Jun 2026 08:23:31 -0700 Subject: [PATCH 07/10] Updating wording for TCP 443 row From 777e0f1081116ec4329294a1e2611f974d8548b9 Mon Sep 17 00:00:00 2001 From: Britton Riggs <104870596+briggs-octo@users.noreply.github.com> Date: Thu, 11 Jun 2026 08:41:39 -0700 Subject: [PATCH 08/10] Fixing linter errors --- src/pages/docs/security/hardening-octopus.mdx | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/pages/docs/security/hardening-octopus.mdx b/src/pages/docs/security/hardening-octopus.mdx index 70aab8e6ba..53bed5c554 100644 --- a/src/pages/docs/security/hardening-octopus.mdx +++ b/src/pages/docs/security/hardening-octopus.mdx @@ -150,7 +150,7 @@ All communication between Octopus Server and Tentacles is performed over a secur #### Disable SSLv3, TLS 1.0 and 1.1 on Windows \{#disable-weak-tls-protocols-windows} -On Windows, the easiest way to disable weak versions of SSL and TLS are by using a tool like [IISCrypto](https://www.nartac.com/Products/IISCrypto) to change the Windows Registry. +On Windows, the easiest way to disable weak versions of SSL and TLS are by using a tool like [IISCrypto](https://www.nartac.com/Products/IISCrypto) to change the Windows Registry. :::div{.problem} @@ -198,14 +198,14 @@ Once the TLS versions are disabled, reboot your Server and importantly [verify t On Ubuntu `20.04` using OpenSSL `1.1.1f` (the latest at time of writing), you can specify the minimum TLS version to use to be `TLSv1.2` by setting the `MinProtocol` directive in the `/etc/ssl/openssl.cnf` OpenSSL config file: -``` +```text [system_default_sect] MinProtocol = TLSv1.2 ``` On Ubuntu `18.04`, if the `MinProtocol` directive doesn't work, you can try this alternative. When using OpenSSL `1.1.1` (the latest at time of writing), you can specify the available TLS Protocols explicitly in the `/etc/ssl/openssl.cnf` OpenSSL config file: -``` +```text [system_default_sect] Protocol = -SSLv3, -TLSv1, -TLSv1.1, TLSv1.2 ``` @@ -341,19 +341,19 @@ The TCP ports listed below are defaults, and can be changed if required - refer ## Harden your containers -If you run an [Octopus Deploy container](/docs/installation/octopus-server-linux-container), in addition to your usual security measure for running apps out of containers, take the following steps to secure it: +If you run an [Octopus Deploy container](/docs/installation/octopus-server-linux-container), in addition to your usual security measure for running apps out of containers, take the following steps to secure it: -- Move your Docker data directory (the default location is `/var/lib/docker`) so that your containers are stored on a separate partition. +- Move your Docker data directory (the default location is `/var/lib/docker`) so that your containers are stored on a separate partition. - Assign resources carefully: - - Consider pinning CPUs to namespaces in order to give them a boundary. - - Consider the amount of memory required, if you assign too much the container is susceptible to denial of service attacks, but if you assign too little or make use of memory ballooning performance will be impacted. + - Consider pinning CPUs to namespaces in order to give them a boundary. + - Consider the amount of memory required, if you assign too much the container is susceptible to denial of service attacks, but if you assign too little or make use of memory ballooning performance will be impacted. - Consider which containers reside in each network namespace as all processes in a namespace can talk to the namespace interface. The security of your Linux container host and its Docker configuration can be analyzed in detail by using [Docker Bench for Security](https://github.com/docker/docker-bench-security) from the [Center for Internet Security](https://www.cisecurity.org/about-us/). For more generalized advice for your platform they provide their benchmarks as [PDF documents](https://www.cisecurity.org/benchmark/docker/). ## Samples -We have an [Octopus Admin](https://oc.to/OctopusAdminSamplesSpace) Space on our Samples instance of Octopus. You can sign in as `Guest` to take a look at some examples of how we have used Octopus for hardening tasks. +We have an [Octopus Admin](https://oc.to/OctopusAdminSamplesSpace) Space on our Samples instance of Octopus. You can sign in as `Guest` to take a look at some examples of how we have used Octopus for hardening tasks. ## Getting help From 91dd81384d39bc1e4431a6d7e93f9ff09868d8c5 Mon Sep 17 00:00:00 2001 From: Britton Riggs <104870596+briggs-octo@users.noreply.github.com> Date: Thu, 11 Jun 2026 08:45:02 -0700 Subject: [PATCH 09/10] Fixing spellcheck error --- src/pages/docs/installation/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/installation/index.mdx b/src/pages/docs/installation/index.mdx index 0c38f20055..1ab1b54756 100644 --- a/src/pages/docs/installation/index.mdx +++ b/src/pages/docs/installation/index.mdx @@ -31,7 +31,7 @@ Relevant ports include: - **Inbound** port 8080: Container Host - service / load balancer to container - **Inbound** port 443/80 (http/https): Windows Host - load balancer to Windows Server - **Inbound** port 10943: Polling tentacles (Octopus Deploy agents) running on application hosts or runners (workers). -- **Inbound** port 8443 (gRPC): Octopus Deploy Argo CD Gateway and Kubernetes Live Object Status (KLOS) +- **Inbound** port 8443 (gRPC): Octopus Deploy Argo CD Gateway and Kubernetes Live Object Status - **Outbound** port 10933: Listening tentacles (Octopus Deploy agents) running on application hosts or runners (workers). - **Outbound** port 22 (SSH): For application hosts or runners (workers). From c661ba5de12d7af349a1a642fad42a9f827334c1 Mon Sep 17 00:00:00 2001 From: Britton Riggs <104870596+briggs-octo@users.noreply.github.com> Date: Thu, 11 Jun 2026 09:05:38 -0700 Subject: [PATCH 10/10] Fixing linter error --- src/pages/docs/security/hardening-octopus.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/security/hardening-octopus.mdx b/src/pages/docs/security/hardening-octopus.mdx index 53bed5c554..e939b619d7 100644 --- a/src/pages/docs/security/hardening-octopus.mdx +++ b/src/pages/docs/security/hardening-octopus.mdx @@ -45,7 +45,7 @@ Depending on your familiarity with Octopus Server, or SQL Server, or networking, ### Upgrade to the latest version -Generally speaking, the latest available version of Octopus Server will be the most secure. You should consider a strategy for keeping Octopus Server updated. We follow a [responsible disclosure policy](#disclosure-policy) so it is possible for you to be aware of any known issues which affect the security and integrity of your Octopus Server. +Generally speaking, the latest available version of Octopus Server will be the most secure. You should consider a strategy for keeping Octopus Server updated. We follow a [responsible disclosure policy](https://octopus.com/security/disclosure) so it is possible for you to be aware of any known issues which affect the security and integrity of your Octopus Server. ### Securely expose your Octopus Server