Network Security Protocols
# Network Security Protocols
This article provides a comprehensive overview of network security protocols crucial for maintaining a secure MediaWiki environment. Understanding these protocols is essential for both server administrators and developers seeking to enhance the platform's resilience against potential threats. We will cover common protocols, their configurations, and best practices for implementation within a typical MediaWiki server setup. This guide assumes a basic understanding of networking concepts. Refer to Help:Links and URLs for guidance on linking within the wiki.
Introduction
Network security protocols form the foundation of secure communication between clients (browsers) and the MediaWiki server. They ensure data confidentiality, integrity, and authenticity. Misconfigured or outdated protocols can create significant vulnerabilities, leading to data breaches or service disruptions. This article focuses on protocols commonly used with MediaWiki, namely TLS/SSL, SSH, and potentially SFTP. For more information on general server security, see Manual:Security best practices.
Transport Layer Security (TLS/SSL)
TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are cryptographic protocols that provide communication security over a network. They are fundamental for securing web traffic to your MediaWiki installation, enabling HTTPS.
TLS/SSL configuration involves obtaining a certificate from a Certificate Authority (CA) or creating a self-signed certificate (not recommended for production). The certificate verifies the identity of the server.
Here's a table summarizing common TLS/SSL versions and their security considerations:
| TLS/SSL Version | Security Status | MediaWiki Compatibility |
|---|---|---|
| SSL 3.0 | Deprecated, highly vulnerable | Not recommended, often disabled |
| TLS 1.0 | Deprecated, vulnerable | Support often disabled |
| TLS 1.1 | Deprecated, vulnerable | Support often disabled |
| TLS 1.2 | Generally secure, widely supported | Recommended, good compatibility |
| TLS 1.3 | Most secure, modern | Highly recommended, increasingly adopted |
The configuration file for TLS/SSL (typically within Apache or Nginx) dictates which protocols and cipher suites are enabled. Strong cipher suites prioritize security over performance. Refer to Special:MyPreferences to understand user-level security settings.
Secure Shell (SSH)
SSH (Secure Shell) is a cryptographic network protocol for operating network services securely over an unsecured network. It's primarily used for remote server administration. MediaWiki administrators often use SSH to manage the server, update files, and perform maintenance tasks.
Key aspects of SSH security include:
- Strong Passwords or SSH Keys: Using SSH keys is *strongly* recommended over password authentication. See Help:Using SSH keys for instructions.
- Disabling Root Login: Preventing direct root login via SSH significantly reduces risk.
- Port Forwarding: Can be used for secure tunneling, but requires careful configuration. See Manual:Configuration changes for guidance.
- Firewall Rules: Restricting SSH access to specific IP addresses or networks.
- **Keep Protocols Updated:** Regularly update your server software to ensure you have the latest security patches for TLS/SSL, SSH, and SFTP.
- **Monitor Logs:** Regularly review server logs for suspicious activity related to these protocols. See Manual:Logging for details on MediaWiki logging.
- **Use Strong Ciphers:** Configure TLS/SSL to use strong cipher suites that provide adequate encryption.
- **Principle of Least Privilege:** Grant users only the necessary permissions to access the server and files.
- **Firewall:** Implement a firewall to restrict access to these services to authorized networks and IP addresses.
- **Regular Audits:** Conduct regular security audits to identify and address potential vulnerabilities. Consider using a vulnerability scanner.
- **Disable Unnecessary Protocols:** Disable any protocols that are not essential for your MediaWiki installation.
- Manual:Upgrading - Information about upgrading MediaWiki and related server components.
- Manual:Configuration changes - Guidance on making configuration changes safely.
- Help:Security - General security information for MediaWiki users.
- Help:System requirements - Details regarding server requirements.
- Telegram: @powervps Servers at a discounted price
Here's a table outlining common SSH configuration parameters:
| Parameter | Description | Recommended Value |
|---|---|---|
| Port | The port SSH listens on. | 22 (change for security through obscurity) |
| PermitRootLogin | Allows or disallows root login. | no |
| PasswordAuthentication | Enables or disables password authentication. | no (use SSH keys) |
| AllowUsers | Specifies which users are allowed to connect. | Specific usernames only |
Consult your operating system's documentation for specific SSH configuration file locations (e.g., `/etc/ssh/sshd_config` on Linux). Remember to restart the SSH service after making changes.
Secure File Transfer Protocol (SFTP)
SFTP (Secure File Transfer Protocol) is a secure file transfer protocol often implemented as a subsystem of SSH. It provides a secure way to upload and download files to and from the MediaWiki server. While using SSH directly to copy files can work, SFTP offers a more structured and user-friendly interface.
SFTP relies on the SSH configuration for its security. Therefore, hardening SSH as described above also enhances SFTP security. Consider using SFTP clients with built-in security features like key management. See Help:File upload for information on file transfer methods supported by MediaWiki.
Here's a comparison of SFTP and FTP:
| Feature | FTP | SFTP |
|---|---|---|
| Security | Unencrypted (vulnerable) | Encrypted (secure) |
| Protocol | Separate protocol | Subsystem of SSH |
| Authentication | Username/Password | SSH Keys, Username/Password |
| Port | 21 (data channel uses other ports) | 22 (same as SSH) |
Protocol Considerations and Best Practices
Further Reading
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configurationNeed Assistance?
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️