Internal Documentation
Status
  • πŸ‘‹Welcome
    • πŸ—‚οΈWhat is this?
    • πŸ•Quick Start
    • πŸ’ΈBilling
  • πŸ—ƒοΈExternal Links
    • πŸ—„οΈPublic Documentation
    • πŸ“‹Private GitHub
    • πŸ“‹Public GitHub
    • πŸ—»NetData
    • πŸ“ŠTrello
    • πŸ•°οΈService Monitoring
  • πŸ“Policies
    • Authentication, Access and Accounts
    • Issue and Project Tracking
    • Creation and Managment of Servers or Services
    • Monitoring and Alerting
    • External Access to Systems
    • Management of Documentation
  • πŸ“‹Processes
    • ❔Deploy new Container Stack
    • Limit Bandwidth to Container
    • ❔Create new Virtual Machine
    • Disaster Recovery
    • Port Forwarding or Tunneling a Service
    • Crowdsec Modules
    • Internal IP Range Change
    • SSH Keys
    • Increase Disk on VM
    • Add Wireguard Client
    • ❔New Domain
    • DNS Management
  • πŸ—ΊοΈService Overviews
    • Websites
    • Portainer and GitOps
    • Content Creation
      • Davinci Resolve Server
    • Plex Suite
      • Tdarr
      • Maintainerr
      • Dashdot
      • Overseerr
      • Bazarr
      • Wizarr
      • Plex
      • Tautulli
      • MovieMatch
      • Prowlarr
      • Radarr
      • Sonarr
      • Lidarr
      • FlareSolverr
      • qBittorrent
      • SabNZBD
      • Huntarr
    • Pterodactyl
    • Home Automation & Physical Security
      • Google Assistant
      • Tuya Cloud
      • Home Assistant
    • Infrastructure
      • ❔Cloudflare
      • NextDNS
      • UniFi
      • Synology NAS
      • Proxmox VE
      • Vultr
      • ❔CyberPower PowerPanel & UPS
    • Maintenance & Monitoring
      • AutoHeal
      • Proxmox Backup Server
      • Duplicati
      • Google Drive Sync
      • Ansible
      • UptimeKuma
      • NetData
      • NetbootXYZ
    • Security
      • Bitwarden
      • Google OpenID Auth
      • Wazuh
      • CrowdSec
    • Remote Access
      • Cloudflare Zero Trust
      • ❔UniFi - Wireguard
      • Kasm
    • Other Adhoc Apps
      • ISponsorBlockTV
      • Homebox
      • ❔Hosted Discord Bots
      • LibreChat
      • Imgur
      • Morphos
      • Zapier
      • EpicGames Free Games
      • GitBook
      • Trello
      • StirlingPDF
      • ❔MeTube
    • ❔OpenAI
  • πŸ–₯️Physical Hardware
    • Macaroni
    • Fettuccine
    • Linguine
    • UniFi
  • ‼️Troubleshooting
    • An Introduction...
    • UptimeKuma alerts
    • Portainer
    • Pterodactyl
  • πŸ“–-- Administration --
    • πŸ“ŽGitbook Templates
      • Guide - Root Page
      • Guide - New Docker App
      • Hardware Overview
      • App Overview - Externally Hosted
      • App Overview - Container
      • Miniguide - Compose
      • App Overview - Hosted Discord Bot
Powered by GitBook
On this page
  • Management of accounts
  • Creating Accounts
  • Storage of account details
  • Deletion of Accounts
  • Why?
  • User Permissions
  • Why?
  • Cloudflare Authentication
  • Authentication in front of Logon pages
  • Why?

Was this helpful?

  1. Policies

Authentication, Access and Accounts

PreviousBillingNextIssue and Project Tracking

Last updated 1 year ago

Was this helpful?

Management of accounts

Creating Accounts

  • Usernames and passwords should be randomly generated

  • Username must not be 'Administrator', 'root', 'Admin' etc unless the application forces it

  • Where possible, OpenID should be

    • Enable AutoLogon where possible

  • For services behind CloudFlare authentication, local auth can be disabled

  • Where possible,

  • If a server has public facing SSH (such as a VPS), use SSH keys and disable password sign in

Storage of account details

  • Usernames, passwords, TOPT and backup codes to be saved in our

  • Internal services (eg docker containers) are to be saved in the 'Internal Services' folder, whilst external services (eg Cloudflare login, Namecheap login) are saved in the 'External Services' folder.

Deletion of Accounts

  • Credentials to be tested and confirmed working, then saved in Bitwarden before deletion

Why?

This is to ensure that accounts are hard to breach and are backed up and stored appropriately. Bitwarden has a function to notify admins of any credential breaches.


User Permissions

  • Accounts required for integrations between systems (eg Home Assistant monitoring UniFi) must first be created as read-only

  • Administrator access to be granted as last ditch

    • Do NOT create new accounts as administrators

    • Log in with new account and test before granting additional access

    • Research app online to figure out what access is required if more is required

    • Administrator access can be granted ONLY IF required

Why?

This is to ensure that if accounts are breached, they can't do much damage


Cloudflare Authentication

I have 4 primary authentication policies configured in Cloudflare. We mostly use the 'Allow' and 'Bypass' rule

Allow
Allow with Reason
Allow with Approval
Bypass

Explanation

User authentication. Allows access. Can be limited to country

User authentication. Allows access by requires a reason. Can be limited to country

User authentication. Allows access by requires approval from a second user. Can be limited to country

Bypasses authentication prompt. Must be applied to IP addresses, subnets or countries

Example

I need to send a WOL packet to a server

A server is off and I'm unable to send the WOL packet. This allows a second person to do that work though it is not normally within scope of their duties.

A server is off and I'm unable to send the WOL packet. This allows a second, non-technical person, to request access, be approved by myself or someone else and process this.

Allow everyone in Australia to have access to service A, but accessing outside of Australia follows one of the above rules instead

Documentation

None

Written for a technical person

Written for a non-technical person

None

Authentication in front of Logon pages

If a public facing service has a login page that shouldn't be publicly accessible, you can put the authentication in front of the URL for the login page. Eg, myapp.mydomain.com/login

Why?

This enables a consistent approach and easy to understand workflow.

πŸ“
configured using the AGG / XFGN OAuth Client
use SSH keys
Password Vault