You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adding gRPC / Tentacle details to existing documentation (#3205)
* Adding gRPC port to inbound port table
* Adding initial Tentacle registration note to table for port 443
* Adding Polling Tentacles over HTTPS to HTTPS/port 443 row
* Adding KLOS to installation components ports section
* Update mod date
* Updating mod date
* Updating wording for TCP 443 row
* Fixing linter errors
* Fixing spellcheck error
* Fixing linter error
Copy file name to clipboardExpand all lines: src/pages/docs/security/hardening-octopus.mdx
+12-11Lines changed: 12 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
---
2
2
layout: src/layouts/Default.astro
3
3
pubDate: 2023-01-01
4
-
modDate: 2023-10-04
4
+
modDate: 2026-06-10
5
5
title: Hardening Octopus
6
6
description: If you are hosting Octopus Deploy yourself, this guide will help you harden your network, host operating system, and Octopus Server itself. This includes things such as configuring malware protection (antivirus), and using allow lists.
7
7
navOrder: 10
@@ -45,7 +45,7 @@ Depending on your familiarity with Octopus Server, or SQL Server, or networking,
45
45
46
46
### Upgrade to the latest version
47
47
48
-
Generally speaking, the latest available version of Octopus Server will be the most secure. You should consider a strategy for keeping Octopus Server updated. We follow a [responsible disclosure policy](#disclosure-policy) so it is possible for you to be aware of any known issues which affect the security and integrity of your Octopus Server.
48
+
Generally speaking, the latest available version of Octopus Server will be the most secure. You should consider a strategy for keeping Octopus Server updated. We follow a [responsible disclosure policy](https://octopus.com/security/disclosure) so it is possible for you to be aware of any known issues which affect the security and integrity of your Octopus Server.
49
49
50
50
### Securely expose your Octopus Server
51
51
@@ -150,7 +150,7 @@ All communication between Octopus Server and Tentacles is performed over a secur
150
150
151
151
#### Disable SSLv3, TLS 1.0 and 1.1 on Windows \{#disable-weak-tls-protocols-windows}
152
152
153
-
On Windows, the easiest way to disable weak versions of SSL and TLS are by using a tool like [IISCrypto](https://www.nartac.com/Products/IISCrypto) to change the Windows Registry.
153
+
On Windows, the easiest way to disable weak versions of SSL and TLS are by using a tool like [IISCrypto](https://www.nartac.com/Products/IISCrypto) to change the Windows Registry.
154
154
155
155
:::div{.problem}
156
156
@@ -198,14 +198,14 @@ Once the TLS versions are disabled, reboot your Server and importantly [verify t
198
198
199
199
On Ubuntu `20.04` using OpenSSL `1.1.1f` (the latest at time of writing), you can specify the minimum TLS version to use to be `TLSv1.2` by setting the `MinProtocol` directive in the `/etc/ssl/openssl.cnf` OpenSSL config file:
200
200
201
-
```
201
+
```text
202
202
[system_default_sect]
203
203
MinProtocol = TLSv1.2
204
204
```
205
205
206
206
On Ubuntu `18.04`, if the `MinProtocol` directive doesn't work, you can try this alternative. When using OpenSSL `1.1.1` (the latest at time of writing), you can specify the available TLS Protocols explicitly in the `/etc/ssl/openssl.cnf` OpenSSL config file:
207
207
208
-
```
208
+
```text
209
209
[system_default_sect]
210
210
Protocol = -SSLv3, -TLSv1, -TLSv1.1, TLSv1.2
211
211
```
@@ -320,10 +320,11 @@ The TCP ports listed below are defaults, and can be changed if required - refer
320
320
|Name|Type|Source|Target|Allow/Deny|Description|
321
321
|---|---|---|---|---|---|
322
322
|HTTP|`TCP 80`|Users|Octopus Server|ALLOW|We recommend only using HTTPS over SSL, however it can be convenient to allow HTTP for the initial connection which is then forced to HTTPS over SSL.|
323
-
|HTTPS|`TCP 443`|Users, Polling Tentacles, external services|Octopus Server|ALLOW|Required for HTTPS over SSL. Also required if using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) over [Web Sockets](/docs/infrastructure/deployment-targets/tentacle/windows/polling-tentacles-web-sockets).|
323
+
|HTTPS|`TCP 443`|Users, Polling Tentacles, external services|Octopus Server|ALLOW|Required for HTTPS over SSL. Also required for initial Tentacle registration and if using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) over [Web Sockets](/docs/infrastructure/deployment-targets/tentacle/windows/polling-tentacles-web-sockets) or [Polling Tentacles over HTTPS](/docs/infrastructure/deployment-targets/tentacle/polling-tentacles-over-port-443).|
324
324
|Polling Tentacle|`TCP 10943`|Polling Tentacles|Octopus Server|ALLOW|Required when using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) via TCP as deployment targets or external workers.|
325
325
|SSH|`TCP 22`|Octopus Server|SSH deployment targets|ALLOW|Allows Octopus Server to securely connect to any SSH deployment targets.|
326
326
|RDP|`TCP 3389`|Remote Desktop Users|Octopus Server|ALLOW|Allows your system administrators to perform maintenance tasks on your Octopus Server.|
327
+
|gRPC|`TCP 8443`|Kubernetes Live Object Status (KLOS)/ArgoCD Gateway|Octopus Server|ALLOW|Required for Kubernetes Live Object Status (KLOS)/ArgoCD Gateway|
327
328
|All inbound|`ALL`|Anywhere|Octopus Server|DENY|Prevent any other unwanted inbound traffic.|
328
329
329
330
### Outbound rules
@@ -340,19 +341,19 @@ The TCP ports listed below are defaults, and can be changed if required - refer
340
341
341
342
## Harden your containers
342
343
343
-
If you run an [Octopus Deploy container](/docs/installation/octopus-server-linux-container), in addition to your usual security measure for running apps out of containers, take the following steps to secure it:
344
+
If you run an [Octopus Deploy container](/docs/installation/octopus-server-linux-container), in addition to your usual security measure for running apps out of containers, take the following steps to secure it:
344
345
345
-
- Move your Docker data directory (the default location is `/var/lib/docker`) so that your containers are stored on a separate partition.
346
+
- Move your Docker data directory (the default location is `/var/lib/docker`) so that your containers are stored on a separate partition.
346
347
- Assign resources carefully:
347
-
- Consider pinning CPUs to namespaces in order to give them a boundary.
348
-
- Consider the amount of memory required, if you assign too much the container is susceptible to denial of service attacks, but if you assign too little or make use of memory ballooning performance will be impacted.
348
+
- Consider pinning CPUs to namespaces in order to give them a boundary.
349
+
- Consider the amount of memory required, if you assign too much the container is susceptible to denial of service attacks, but if you assign too little or make use of memory ballooning performance will be impacted.
349
350
- Consider which containers reside in each network namespace as all processes in a namespace can talk to the namespace interface.
350
351
351
352
The security of your Linux container host and its Docker configuration can be analyzed in detail by using [Docker Bench for Security](https://github.com/docker/docker-bench-security) from the [Center for Internet Security](https://www.cisecurity.org/about-us/). For more generalized advice for your platform they provide their benchmarks as [PDF documents](https://www.cisecurity.org/benchmark/docker/).
352
353
353
354
## Samples
354
355
355
-
We have an [Octopus Admin](https://oc.to/OctopusAdminSamplesSpace) Space on our Samples instance of Octopus. You can sign in as `Guest` to take a look at some examples of how we have used Octopus for hardening tasks.
356
+
We have an [Octopus Admin](https://oc.to/OctopusAdminSamplesSpace) Space on our Samples instance of Octopus. You can sign in as `Guest` to take a look at some examples of how we have used Octopus for hardening tasks.
0 commit comments