Data Security
- Data Security – Server Configuration
This article details the server configuration aspects critical for data security within our MediaWiki 1.40 environment. It is geared towards new server administrators and provides a foundational understanding of the key settings and practices employed to protect our data. Proper configuration is paramount to maintaining the integrity and confidentiality of our wiki’s content and user information. This guide focuses on server-side security; client-side security (passwords, browser security) is covered in a separate document. Refer to Manual:Configuration settings for overall configuration details.
Core Principles
Our data security strategy rests on three core principles:
- **Confidentiality:** Ensuring data is accessible only to authorized personnel. This is achieved through access control and encryption.
- **Integrity:** Maintaining the accuracy and completeness of data. This is accomplished through regular backups and robust data validation.
- **Availability:** Guaranteeing timely and reliable access to data for authorized users. This is maintained through redundancy and disaster recovery planning. See also Help:System administration.
Server Hardening
Server hardening involves reducing the attack surface by disabling unnecessary services and strengthening security settings.
Operating System Security
The underlying operating system (typically Linux) is the first line of defense.
| Feature | Description | Status |
|---|---|---|
| Firewall | A firewall (e.g., `iptables`, `firewalld`) restricts network access to only necessary ports. | Enabled and Configured |
| SSH Access | Secure Shell (SSH) access is restricted to key-based authentication and limited IP addresses. Password authentication is disabled. | Implemented |
| System Updates | Regular security updates are applied to the operating system and all installed software. Automated updates are configured where possible. | Automated |
| User Accounts | Non-essential user accounts are disabled or removed. Strong passwords are enforced for all accounts. | Enforced |
Web Server Configuration (Apache)
The web server (Apache in our case) requires specific configuration to enhance security. See Manual:Apache configuration.
| Setting | Value | Description |
|---|---|---|
| `mod_security` | Enabled | Web Application Firewall (WAF) to detect and prevent common web attacks. |
| SSL/TLS | Enabled with latest protocols | Encrypts communication between the server and clients. See Help:HTTPS. |
| Directory Listing | Disabled | Prevents unauthorized browsing of directory contents. |
| `.htaccess` Files | Limited use | Reduces the risk of misconfiguration and potential security vulnerabilities. |
Database Security
The database (typically MySQL/MariaDB) stores critical wiki data and requires robust security measures. Refer to Manual:Database setup.
Database User Permissions
The MediaWiki database user should have only the necessary privileges.
| Privilege | Granted? | Description |
|---|---|---|
| `SELECT` | Yes | Allows retrieval of data. |
| `INSERT` | Yes | Allows adding new data. |
| `UPDATE` | Yes | Allows modifying existing data. |
| `DELETE` | No | Prevents accidental or malicious data deletion. |
| `CREATE` | No | Prevents creation of new tables or databases. |
| `DROP` | No | Prevents dropping tables or databases. |
Database Encryption
Consider enabling database encryption at rest and in transit. This adds a layer of protection against data breaches. See Help:Database encryption.
MediaWiki Specific Security Settings
MediaWiki itself has several security-related configuration options.
- `$wgSecretKey`: A long, randomly generated string used for various cryptographic operations. Protect this key! See Manual:$wgSecretKey.
- `$wgSessionPublicKeys`: Used for session management and security. Ensure these keys are securely generated and stored. See Manual:$wgSessionPublicKeys.
- `$wgUploadDirectory`: The directory where uploaded files are stored. Restrict access to this directory. See Manual:$wgUploadDirectory.
- `$wgCookiePrefix`: A prefix for cookies to prevent cookie hijacking. See Manual:$wgCookiePrefix.
- `$wgRateLimits`: Configure rate limits to prevent abuse and denial-of-service attacks. See Help:Rate limiting.
- `$wgSpamRegex`: Configure regular expressions to block spam and malicious content. See Manual:$wgSpamRegex.
- `$wgCaptcha`: Enable CAPTCHA to prevent automated account creation and editing. See Manual:$wgCaptcha.
Backups and Disaster Recovery
Regular backups are essential for data recovery in case of hardware failure, data corruption, or security breaches. See Help:Backups.
- **Backup Frequency:** Daily full backups and hourly incremental backups.
- **Backup Storage:** Offsite storage is recommended to protect against physical disasters.
- **Disaster Recovery Plan:** A documented plan outlining the steps to restore the wiki in case of a disaster. This includes testing the restore process regularly.
Monitoring and Logging
Continuous monitoring of server logs and system metrics can help detect and respond to security incidents. See Help:System monitoring.
- **Log Analysis:** Regularly review server logs for suspicious activity.
- **Intrusion Detection System (IDS):** Consider implementing an IDS to detect and alert on potential security threats.
- **Security Audits:** Periodic security audits to identify vulnerabilities and ensure compliance with security policies.
Additional Resources
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️