I was reading Issue 5375: Server vulnerability in get_login - Tryton issue tracker where it is mentioned the use of iptables / netfilter and fail2ban as supporting security measures for a Tryton server.
What is the community doing to provide network security to trytond?
Indeed the security of Tryton has improved even more since this issue. There are: Issue 6215: Return 429 when too many login attempt - Tryton issue tracker and Issue 7110: Limit attempt per IP network - Tryton issue tracker which provide feature like fail2ban at the application level and in a distributed way.
But as usual with security, there are no magical solution. The goal is to make it hard enough for an attacker that he will attack someone else.
At B2CK, we do not put extra feature against DDoS because we estimate our deployment to not be enough interesting for complex DDoS attack that will overcome the current protections (and we rely on the hosting protection against generic DDoS). But we use uwsgi instead of the default werkzeug server for performance (multi-process, worker pool etc.) and generally we put ngnix in front as reverse proxy to manage certificate and eventually distribute to multiple hosts with Let’s Encrypt. But both servers provide also protection against DDoS.
Sometimes we put a limit on the SSH connection creation to the firewall for hosts that are targeted and open to password authentication.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.