Skip to content

rConfig V8 Core Security Hardening Guide

After reading this page, you can harden an rConfig V8 Core deployment across authentication, network, server, encryption, and monitoring layers. It pairs background on each control with the specific commands and configuration rConfig V8 Core needs to run securely.

Use this page when you are deploying rConfig V8 Core into production, reviewing an existing install against your security policy, or preparing for a compliance audit. It covers the controls that protect the application, its host, and the sensitive device credentials it stores.

rConfig maintains a strong security posture, with only three Common Vulnerabilities and Exposures (CVEs) across its history, all in the legacy V3 version. The procedures below establish a robust security foundation for V8 Core against evolving threats.

  • Root or sudo access to the host running rConfig V8 Core
  • A completed rConfig V8 Core install (see Install rConfig V8 Core)
  • Familiarity with your organisation’s security policy and compliance obligations
  • Access to your firewall, OS, and database administration tooling

Before implementing hardening measures, conduct a security assessment to identify existing vulnerabilities and establish baseline metrics.

  • Vulnerability assessment: Use automated scanning tools such as Nessus, OpenVAS, or Qualys to identify system and infrastructure vulnerabilities.
  • Penetration testing: Conduct periodic penetration testing to simulate adversarial attacks and evaluate defensive capabilities.
  • Compliance auditing: Engage qualified auditors to verify compliance with relevant frameworks (NIST Cybersecurity Framework, ISO 27001, SOC 2 Type II).

rConfig V8 Core supports local user management and configurable access. Single Sign-On (SSO) with identity providers is available so you can centralise authentication and enforce your organisation’s policies.

  • Multi-factor authentication (MFA): Mandate MFA for all accounts, particularly privileged accounts. Use TOTP, hardware security keys (e.g. YubiKey), or biometric factors.
  • Principle of least privilege (PoLP): Grant users and service accounts only the minimum permissions required for their function.
  • Default account management: Remove or disable default administrative and service accounts. These are high-value targets for unauthorised access.

Network security is the primary perimeter defence layer. rConfig V8 Core deployments use the following ports.

DirectionPort / protocolPurpose
Outbound80 (HTTP), 443 (HTTPS)Standard web traffic
OutboundSSH, TelnetManaged device communication (as required)
Outboundrconfig.com (static IP)Version verification (recommended but optional)
Inbound80 (HTTP), 443 (HTTPS)Web interface access
Inbound21 (FTP), 69/UDP (TFTP)Specific operational requirements
  • Firewall configuration and segmentation: Deploy stateful firewalls to restrict traffic to authorised services. Segment the network (separate internal, external, and DMZ zones) to contain breaches and prevent lateral movement.
  • Intrusion detection and prevention (IDPS): Deploy network-based IDPS such as Snort, Suricata, or OSSEC to detect and block malicious activity in real time.
  • Encrypted communications: Require encrypted protocols for all remote access (VPN, SSL/TLS, SSH). Enforce encryption for internal communications where operationally feasible.

For best security and performance, deploy rConfig V8 Core on dedicated infrastructure rather than shared hosting. This minimises attack surface and prevents resource contention. The following procedures apply to physical servers, virtual machines, and endpoints.

  • Attack surface reduction: Remove unnecessary software packages, services, and runtime components.
  • Patch management: Keep operating systems, applications, and third-party dependencies current. Use automated patch management such as OSSEC, WSUS, or yum-cron.
  • Mandatory access control: On Linux, configure SELinux or AppArmor to enforce mandatory access control policies.
  • Service hardening: Disable unnecessary network services and protocols (e.g. FTP, Telnet), keeping only operationally required services.
  • SSH hardening: Disable root login, require key-based authentication, and rate-limit connections to prevent brute-force attacks.

The Laravel scheduler used by rConfig V8 Core should not run as the root user. All scheduled tasks (php artisan schedule:run) should run under a dedicated, non-privileged application service account, aligned with the user that owns and operates the rConfig application runtime.

  1. Create or use an existing dedicated service user (e.g. rconfig, www-data, or apache).

  2. Ensure this user owns the rConfig application directory, owns storage/ and bootstrap/cache/, and matches the PHP-FPM / web server execution user.

  3. Configure cron to run the scheduler every minute under this user’s crontab:

    Terminal window
    * * * * * cd /var/www/html/rconfig && php artisan schedule:run >> /dev/null 2>&1

Running scheduled tasks as root introduces security and operational risk:

  • Privilege escalation: Artisan commands may indirectly execute filesystem or process-level operations.
  • File ownership drift: Logs, cache files, or compiled artifacts may become root-owned, causing application failures.
  • Compliance violations: Root-level task execution violates PoLP requirements under ISO 27001, NIST, and SOC 2.
  • Increased blast radius: An exploited scheduler vulnerability would inherit full system privileges.
  • Secure password storage: Use cryptographically secure hashing (e.g. bcrypt, Argon2) for password storage.
  • Password policy enforcement: Enforce complexity requirements including minimum length, character diversity, and rotation policies.
  • User interface security: Configure secure input controls for credential entry (disable browser auto-completion and clipboard operations), and use CAPTCHA or equivalent challenge-response mechanisms to prevent automated brute-force attacks.
  • Secrets management: Use enterprise secrets management (e.g. AWS Secrets Manager, HashiCorp Vault) for API keys and system credentials.
  • Session security: Configure session cookies with secure, HTTP-only, and SameSite attributes to prevent session hijacking.

Comprehensive data protection requires encryption for data both in transit and at rest.

  • Transport encryption: Enforce TLS/SSL across all web interfaces and API endpoints, and maintain current certificates from trusted authorities. See the SSL setup guide for rConfig V8 Core.
  • Storage encryption: Deploy full-disk encryption (e.g. LUKS for Linux, BitLocker for Windows) for all volumes holding sensitive data.
  • Database security: rConfig V8 Core encrypts credentials and sensitive data by default, with encryption keys stored in the .env file. Back up this file securely and take regular encrypted database backups. See Manage the encryption key.
  • Backup encryption: Encrypt all backup media, on-site and off-site, to protect confidentiality if storage is accessed without authorisation.
  • Operating system hardening: Apply the same OS hardening to database servers as in the Server hardening section above.
  • Service configuration: Disable unnecessary database features and modules (e.g. xp_cmdshell in SQL Server, file_priv in MySQL), run database services under dedicated accounts with minimal privileges, remove default accounts and sample databases, and set appropriate connection timeouts.
  • Network isolation: Deploy database servers in an isolated database tier, separate from application and web tiers.
  • Port security: Modify default ports where feasible (MySQL 3306, PostgreSQL 5432), restrict port access to authorised application servers with firewall rules, and enforce SSL/TLS on all connections.
  • Connection management: Set maximum concurrent connection limits to prevent denial-of-service conditions.
  • Privilege separation: Create dedicated database accounts per application function with minimum required privileges.
  • Connection security: Configure connection strings to require SSL/TLS and certificate validation.
  • Audit logging: Enable database audit logging for authentication failures, privilege escalation attempts, DDL modifications, and bulk data operations.
  • Backup encryption: Encrypt all database backups with industry-standard algorithms.
  • Backup storage: Store encrypted backups in secure locations physically separated from production infrastructure.
  • Backup validation: Run regular restoration tests to verify data integrity and recovery procedures.
  • Access control: Apply strict access controls to backup media and authenticate all backup system access.
  • System resources: Watch CPU for anomalous activity (e.g. cryptocurrency mining), track memory growth, monitor storage and I/O, and alert on service failures or unexpected process restarts.
  • Network traffic: Monitor outbound connections for unauthorised destinations, track data transfer volumes to detect exfiltration, alert on connections to known malicious IPs or command-and-control infrastructure, and watch for lateral movement.
  • File system integrity: Implement File Integrity Monitoring (FIM) for critical system files, monitor rConfig application directories for unauthorised changes, track changes to .env files containing encryption keys, and alert on suspicious files or directories.
  • Authentication: Log and alert on failed authentication attempts (especially brute-force patterns), anomalous login times or locations, privilege escalation events, and multiple concurrent sessions for a single account.
  • Application security: Analyse web server access logs for attack signatures, monitor database query patterns for SQL injection attempts, alert on API anomalies or rate-limit violations, and monitor unauthorised access to privileged endpoints.
  • Centralised collection: Forward rConfig V8 Core system logs to centralised SIEM infrastructure for correlation and analysis. See System logs in rConfig V8 Core.
  • Log retention: Maintain retention periods compliant with organisational and regulatory requirements.
  • Event correlation: Implement correlation rules to identify attack patterns across multiple systems.
  • Automated response: Configure automated responses for critical events (account lockouts, service isolation, incident ticket creation).

For rConfig V8 Core, build operational resilience with a solid backup and recovery process (below), documented recovery procedures with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), formal change management with scheduled maintenance windows, and a defined incident response and escalation process. Test recovery regularly and keep runbooks accessible during outages.

rConfig V8 Core provides basic backup functionality for convenience, but it cannot protect against compromised storage or infrastructure failure. Implement an enterprise backup process aligned with your data protection policy to guard against ransomware, hardware failure, and other threats.