So far we have been talking about permissions and restrictions, which are of course a huge part of how to keep your data secure. But there are a few best practices and features in place to reduce the risk of your Confluence installation being corrupted and prevent the wrong people from getting access.
Confluence protects access to its administrative functions by a special administrator session. When a user attempts to access the Administration Console or space administration, they are prompted to log in again. This logs the administrator into a temporary secure session that grants access to those administration screens. In other parts of the documentation this feature is also referred to as WebSudo.
The administrator session has a rolling timeout of 10 minutes (default). This means that if there is no activity in the Confluence or space administration for 10 minutes, the user will be logged out of the administrator session. If the user does click on any administrative function, the timeout will be reset.
To configure the secure administrator sessions:
If your Confluence instance uses a custom build authentication mechanism, the extra login might cause problems as it checks the authentication against Confluence instead your own custom authentication server. Disabling password confirmation would be a valid solution.
An administrator can always manually end the secure session by clicking on Drop access in the banner displayed at the top of their screen as shown in the following screenshot:
Software such as Confluence is not flawless and every now and then a vulnerability is discovered. When such a vulnerability is discovered, Atlassian will calculate its severity based on the industry-standard Common Vulnerability Scoring System (CVSS).
For more information about CVSS, visit http://www.first.org/cvss/cvss-guide.html.
Based upon the CVSS scores, the severity will be mapped according to the following guidelines:
CVSS score range |
Severity in advisory |
---|---|
0 – 2.9 |
Low |
3 – 5.9 |
Medium |
6 – 7.9 |
High |
8 – 10 |
Critical |
The following is a summary of the factors usually resulting in a specific severity. These ratings don't take your personal installation details into account, but are based upon an average installation.
The exploitation is usually straightforward, meaning that the attackers don't need any special credentials or knowledge about individuals in your installation.
The exploitation of the vulnerability results in root-level compromise of your servers or other infrastructure devices.
The exploitation doesn't result in significant data loss or corruption.
And, the vulnerability is difficult to exploit.
These vulnerabilities affect only nonstandard configurations or obscure applications.
This includes exploits that require an attacker to reside on the same local network as the victim.
This includes vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
This includes vulnerabilities where exploitation provides only very limited access.
When a critical severity vulnerability is discovered, and resolved, Atlassian will inform their customers using the following channels:
https://confluence.atlassian.com/display/DOC/Confluence+Security+Overview+and+Advisories
If you want to track noncritical vulnerabilities, you can monitor the issue trackers for Confluence at https://jira.atlassian.com/browse/CONF. Security issues will be marked with a "security" label.
The Confluence Administration Console plays a vital role in keeping your Confluence installation running and making sure your users have the permissions they should have.
One way of further securing the Administration Console is limiting its access to certain machines on your network or on the Internet. If you are using an Apache web server in front of your Confluence installation, this would work as follows:
local_machines_only.conf
in your apache configuration directory.More on access control with Apache at http://httpd.apache.org/docs/2.2/howto/access.html.
/confluence
, that is, http://mycompany.com/confluence
. If this is not true for your installation, change the locations in the following configuration accordingly:<Location /confluence/admin> Include local_machines_only.conf </Location> <Location /confluence/plugins/servlet/oauth/consumers/list> Include local_machines_only.conf </Location> <Location /confluence/plugins/servlet/oauth/view-consumer-info> Include local_machines_only.conf </Location> <Location /confluence/plugins/servlet/oauth/service-providers/list> Include local_machines_only.conf </Location> <Location /confluence/plugins/servlet/oauth/service-providers/add> Include local_machines_only.conf </Location> <Location /confluence/plugins/servlet/oauth/consumers/add> Include local_machines_only.conf </Location> <Location /confluence/plugins/servlet/oauth/consumers/add-manually> Include local_machines_only.conf </Location> <Location /confluence/plugins/servlet/oauth/update-consumer-info> Include local_machines_only.conf </Location> <Location /confluence/pages/templates/listpagetemplates.action> Include local_machines_only.conf </Location> <Location /confluence/pages/templates/createpagetemplate.action> Include local_machines_only.conf </Location> <Location /confluence/spaces/spacepermissions.action> Include local_machines_only.conf </Location> <Location /confluence/pages/listpermissionpages.action> Include local_machines_only.conf </Location> <Location /confluence/spaces/removespace.action> Include local_machines_only.conf </Location> <Location /confluence/spaces/importmbox.action> Include local_machines_only.conf </Location> <Location /confluence/spaces/viewmailaccounts.action> Include local_machines_only.conf </Location> <Location /confluence/spaces/addmailaccount.action?> Include local_machines_only.conf </Location> <Location /confluence/spaces/importpages.action> Include local_machines_only.conf </Location> <Location /confluence/spaces/flyingpdf/flyingpdf.action> Include local_machines_only.conf </Location> <Location /confluence/spaces/exportspacehtml.action> Include local_machines_only.conf </Location> <Location /confluence/spaces/exportspacexml.action> Include local_machines_only.conf </Location> <Location /confluence/plugins/servlet/embedded-crowd> Include local_machines_only.conf </Location> <Location /confluence/plugins/servlet/upm> Include local_machines_only.conf </Location>
This will make sure the administrative functions can only be accessed by the specified machines and IPs.
How you set up your Confluence roles, permissions, and internal processes makes a big difference in keeping your Confluence installation secure. The following are some tips you could consider. None of these make your installation a full 100 percent secure, but they slow down or turn around any attacker.
In general you could say, "Don't put convenience go before security."
Keep in mind that these tips may only be a small part of your entire infrastructure. Apply those that make sense to your company and security requirements.
18.118.12.50