rConfig V8 Core Security Hardening Guide
After reading this page, you can harden an rConfig V8 Core deployment across authentication, network, server, encryption, and monitoring layers. It pairs background on each control with the specific commands and configuration rConfig V8 Core needs to run securely.
When to use this
Section titled “When to use this”Use this page when you are deploying rConfig V8 Core into production, reviewing an existing install against your security policy, or preparing for a compliance audit. It covers the controls that protect the application, its host, and the sensitive device credentials it stores.
rConfig maintains a strong security posture, with only three Common Vulnerabilities and Exposures (CVEs) across its history, all in the legacy V3 version. The procedures below establish a robust security foundation for V8 Core against evolving threats.
Prerequisites
Section titled “Prerequisites”- Root or sudo access to the host running rConfig V8 Core
- A completed rConfig V8 Core install (see Install rConfig V8 Core)
- Familiarity with your organisation’s security policy and compliance obligations
- Access to your firewall, OS, and database administration tooling
Security assessment and risk analysis
Section titled “Security assessment and risk analysis”Before implementing hardening measures, conduct a security assessment to identify existing vulnerabilities and establish baseline metrics.
- Vulnerability assessment: Use automated scanning tools such as Nessus, OpenVAS, or Qualys to identify system and infrastructure vulnerabilities.
- Penetration testing: Conduct periodic penetration testing to simulate adversarial attacks and evaluate defensive capabilities.
- Compliance auditing: Engage qualified auditors to verify compliance with relevant frameworks (NIST Cybersecurity Framework, ISO 27001, SOC 2 Type II).
Authentication and access control
Section titled “Authentication and access control”rConfig V8 Core supports local user management and configurable access. Single Sign-On (SSO) with identity providers is available so you can centralise authentication and enforce your organisation’s policies.
Authentication hardening
Section titled “Authentication hardening”- Multi-factor authentication (MFA): Mandate MFA for all accounts, particularly privileged accounts. Use TOTP, hardware security keys (e.g. YubiKey), or biometric factors.
- Principle of least privilege (PoLP): Grant users and service accounts only the minimum permissions required for their function.
- Default account management: Remove or disable default administrative and service accounts. These are high-value targets for unauthorised access.
Network security architecture
Section titled “Network security architecture”Network security is the primary perimeter defence layer. rConfig V8 Core deployments use the following ports.
| Direction | Port / protocol | Purpose |
|---|---|---|
| Outbound | 80 (HTTP), 443 (HTTPS) | Standard web traffic |
| Outbound | SSH, Telnet | Managed device communication (as required) |
| Outbound | rconfig.com (static IP) | Version verification (recommended but optional) |
| Inbound | 80 (HTTP), 443 (HTTPS) | Web interface access |
| Inbound | 21 (FTP), 69/UDP (TFTP) | Specific operational requirements |
Network hardening measures
Section titled “Network hardening measures”- Firewall configuration and segmentation: Deploy stateful firewalls to restrict traffic to authorised services. Segment the network (separate internal, external, and DMZ zones) to contain breaches and prevent lateral movement.
- Intrusion detection and prevention (IDPS): Deploy network-based IDPS such as Snort, Suricata, or OSSEC to detect and block malicious activity in real time.
- Encrypted communications: Require encrypted protocols for all remote access (VPN, SSL/TLS, SSH). Enforce encryption for internal communications where operationally feasible.
Server hardening
Section titled “Server hardening”For best security and performance, deploy rConfig V8 Core on dedicated infrastructure rather than shared hosting. This minimises attack surface and prevents resource contention. The following procedures apply to physical servers, virtual machines, and endpoints.
Operating system security
Section titled “Operating system security”- Attack surface reduction: Remove unnecessary software packages, services, and runtime components.
- Patch management: Keep operating systems, applications, and third-party dependencies current. Use automated patch management such as OSSEC, WSUS, or yum-cron.
- Mandatory access control: On Linux, configure SELinux or AppArmor to enforce mandatory access control policies.
- Service hardening: Disable unnecessary network services and protocols (e.g. FTP, Telnet), keeping only operationally required services.
- SSH hardening: Disable root login, require key-based authentication, and rate-limit connections to prevent brute-force attacks.
Scheduled tasks (cron job user context)
Section titled “Scheduled tasks (cron job user context)”The Laravel scheduler used by rConfig V8 Core should not run as the root user. All scheduled tasks (php artisan schedule:run) should run under a dedicated, non-privileged application service account, aligned with the user that owns and operates the rConfig application runtime.
Recommended configuration
Section titled “Recommended configuration”-
Create or use an existing dedicated service user (e.g.
rconfig,www-data, orapache). -
Ensure this user owns the rConfig application directory, owns
storage/andbootstrap/cache/, and matches the PHP-FPM / web server execution user. -
Configure cron to run the scheduler every minute under this user’s crontab:
Terminal window * * * * * cd /var/www/html/rconfig && php artisan schedule:run >> /dev/null 2>&1
Why non-root execution matters
Section titled “Why non-root execution matters”Running scheduled tasks as root introduces security and operational risk:
- Privilege escalation: Artisan commands may indirectly execute filesystem or process-level operations.
- File ownership drift: Logs, cache files, or compiled artifacts may become root-owned, causing application failures.
- Compliance violations: Root-level task execution violates PoLP requirements under ISO 27001, NIST, and SOC 2.
- Increased blast radius: An exploited scheduler vulnerability would inherit full system privileges.
Credential security
Section titled “Credential security”- Secure password storage: Use cryptographically secure hashing (e.g. bcrypt, Argon2) for password storage.
- Password policy enforcement: Enforce complexity requirements including minimum length, character diversity, and rotation policies.
- User interface security: Configure secure input controls for credential entry (disable browser auto-completion and clipboard operations), and use CAPTCHA or equivalent challenge-response mechanisms to prevent automated brute-force attacks.
- Secrets management: Use enterprise secrets management (e.g. AWS Secrets Manager, HashiCorp Vault) for API keys and system credentials.
- Session security: Configure session cookies with secure, HTTP-only, and SameSite attributes to prevent session hijacking.
Data protection and encryption
Section titled “Data protection and encryption”Comprehensive data protection requires encryption for data both in transit and at rest.
- Transport encryption: Enforce TLS/SSL across all web interfaces and API endpoints, and maintain current certificates from trusted authorities. See the SSL setup guide for rConfig V8 Core.
- Storage encryption: Deploy full-disk encryption (e.g. LUKS for Linux, BitLocker for Windows) for all volumes holding sensitive data.
- Database security: rConfig V8 Core encrypts credentials and sensitive data by default, with encryption keys stored in the
.envfile. Back up this file securely and take regular encrypted database backups. See Manage the encryption key. - Backup encryption: Encrypt all backup media, on-site and off-site, to protect confidentiality if storage is accessed without authorisation.
Database platform security
Section titled “Database platform security”Database server hardening
Section titled “Database server hardening”- Operating system hardening: Apply the same OS hardening to database servers as in the Server hardening section above.
- Service configuration: Disable unnecessary database features and modules (e.g.
xp_cmdshellin SQL Server,file_privin MySQL), run database services under dedicated accounts with minimal privileges, remove default accounts and sample databases, and set appropriate connection timeouts.
Database network security
Section titled “Database network security”- Network isolation: Deploy database servers in an isolated database tier, separate from application and web tiers.
- Port security: Modify default ports where feasible (MySQL 3306, PostgreSQL 5432), restrict port access to authorised application servers with firewall rules, and enforce SSL/TLS on all connections.
- Connection management: Set maximum concurrent connection limits to prevent denial-of-service conditions.
Database access controls
Section titled “Database access controls”- Privilege separation: Create dedicated database accounts per application function with minimum required privileges.
- Connection security: Configure connection strings to require SSL/TLS and certificate validation.
- Audit logging: Enable database audit logging for authentication failures, privilege escalation attempts, DDL modifications, and bulk data operations.
Database backup security
Section titled “Database backup security”- Backup encryption: Encrypt all database backups with industry-standard algorithms.
- Backup storage: Store encrypted backups in secure locations physically separated from production infrastructure.
- Backup validation: Run regular restoration tests to verify data integrity and recovery procedures.
- Access control: Apply strict access controls to backup media and authenticate all backup system access.
Monitoring and alerting
Section titled “Monitoring and alerting”Infrastructure monitoring
Section titled “Infrastructure monitoring”- System resources: Watch CPU for anomalous activity (e.g. cryptocurrency mining), track memory growth, monitor storage and I/O, and alert on service failures or unexpected process restarts.
- Network traffic: Monitor outbound connections for unauthorised destinations, track data transfer volumes to detect exfiltration, alert on connections to known malicious IPs or command-and-control infrastructure, and watch for lateral movement.
- File system integrity: Implement File Integrity Monitoring (FIM) for critical system files, monitor rConfig application directories for unauthorised changes, track changes to
.envfiles containing encryption keys, and alert on suspicious files or directories.
Security event monitoring
Section titled “Security event monitoring”- Authentication: Log and alert on failed authentication attempts (especially brute-force patterns), anomalous login times or locations, privilege escalation events, and multiple concurrent sessions for a single account.
- Application security: Analyse web server access logs for attack signatures, monitor database query patterns for SQL injection attempts, alert on API anomalies or rate-limit violations, and monitor unauthorised access to privileged endpoints.
Log management
Section titled “Log management”- Centralised collection: Forward rConfig V8 Core system logs to centralised SIEM infrastructure for correlation and analysis. See System logs in rConfig V8 Core.
- Log retention: Maintain retention periods compliant with organisational and regulatory requirements.
- Event correlation: Implement correlation rules to identify attack patterns across multiple systems.
- Automated response: Configure automated responses for critical events (account lockouts, service isolation, incident ticket creation).
High availability and disaster recovery
Section titled “High availability and disaster recovery”For rConfig V8 Core, build operational resilience with a solid backup and recovery process (below), documented recovery procedures with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), formal change management with scheduled maintenance windows, and a defined incident response and escalation process. Test recovery regularly and keep runbooks accessible during outages.
Backup strategy
Section titled “Backup strategy”rConfig V8 Core provides basic backup functionality for convenience, but it cannot protect against compromised storage or infrastructure failure. Implement an enterprise backup process aligned with your data protection policy to guard against ransomware, hardware failure, and other threats.
What’s next
Section titled “What’s next”- Configure SSL/TLS for rConfig V8 Core to enforce encrypted access to the web interface and API.
- Set up Single Sign-On to centralise authentication and apply your identity provider’s MFA and access policies.
- Manage the encryption key to protect and back up the key that secures stored device credentials.