Hardening Guide
This guide covers OS-level security hardening for BugPin production deployments on Linux. Topics include UFW firewall rules to block direct port access, file and database permissions for the SQLite data directory, SSH hardening with key-based authentication, Fail2Ban brute-force protection, automatic security updates, and a regular maintenance schedule for credential rotation.
Prerequisites
Before following this guide, ensure you have:
- Completed the basic installation - See Docker Installation or Bun Installation
- Configured a reverse proxy with HTTPS - See Reverse Proxy Setup
- Enabled HTTPS enforcement - See Security Settings
This guide assumes you have root/administrator access to the server hosting BugPin.
Firewall Configuration
BugPin should only be accessible through your reverse proxy. Block direct access to port 7300 from external networks.
Forcing all traffic through your reverse proxy ensures HTTPS is used and allows the proxy to apply additional security measures like rate limiting and IP filtering.
UFW (Ubuntu/Debian)
# Block external access to port 7300 (accessible via localhost only)
sudo ufw deny 7300/tcp
iptables
# Allow localhost access to port 7300
iptables -A INPUT -p tcp --dport 7300 -s 127.0.0.1 -j ACCEPT
# Block all other access to port 7300
iptables -A INPUT -p tcp --dport 7300 -j DROP
# Save rules (Ubuntu/Debian)
sudo netfilter-persistent save
Verification
Test that external access is blocked:
# From a different machine, this should fail
curl http://your-server-ip:7300
# From the server itself, this should work
curl http://localhost:7300/health
File Permissions
Restrict access to BugPin's data directory to prevent unauthorized access to sensitive files.
The data directory contains the SQLite database (user credentials, API keys), uploaded screenshots, and the session secret. Improper permissions could expose sensitive data.
Set Ownership and Permissions
# Set ownership to the BugPin user (if running as a dedicated user)
sudo chown -R bugpin:bugpin /path/to/bugpin/data
# Restrict directory permissions (owner read/write/execute only)
sudo chmod -R 750 /path/to/bugpin/data
Docker Deployments
For Docker deployments, permissions are typically managed automatically. However, you can still restrict access to the mounted volume on the host:
# Restrict the host directory that's mounted to /data
sudo chmod 750 ./data
Verification
# Check permissions
ls -la /path/to/bugpin/data
# Expected output:
# drwxr-x--- (750) owned by bugpin:bugpin
Database Security
The SQLite database file contains all sensitive data including hashed passwords and API keys.
Database File Permissions
# Restrict database to owner read/write only
chmod 600 /path/to/bugpin/data/bugpin.db
Backup Security
If you're creating database backups, ensure they're also secured:
# Create secure backup directory
mkdir -p /path/to/backups/bugpin
chmod 700 /path/to/backups/bugpin
# Backup with secure permissions
cp /path/to/bugpin/data/bugpin.db /path/to/backups/bugpin/bugpin-$(date +%Y%m%d).db
chmod 600 /path/to/backups/bugpin/bugpin-*.db
Consider setting up automated backups with a cron job. Always verify backup integrity and test restoration procedures.
Database Encryption at Rest
For additional security, consider using filesystem-level encryption:
- Linux: Use LUKS (Linux Unified Key Setup) to encrypt the partition containing BugPin data
- Cloud: Use provider-managed encryption (AWS EBS encryption, Google Persistent Disk encryption, etc.)
OS-Level Hardening
Additional security measures at the operating system level.
SSH Hardening
If your server is accessible via SSH, harden the SSH configuration:
# Edit SSH config
sudo nano /etc/ssh/sshd_config
Recommended settings:
# Disable root login
PermitRootLogin no
# Use key-based authentication only
PasswordAuthentication no
PubkeyAuthentication yes
# Disable empty passwords
PermitEmptyPasswords no
# Use SSH protocol 2 only
Protocol 2
# Limit login attempts
MaxAuthTries 3
Restart SSH after changes:
sudo systemctl restart sshd
Automatic Security Updates
Enable automatic security updates to ensure your system receives critical patches:
Ubuntu/Debian:
# Install unattended-upgrades
sudo apt install unattended-upgrades
# Enable automatic updates
sudo dpkg-reconfigure -plow unattended-upgrades
RHEL/CentOS:
# Install yum-cron
sudo yum install yum-cron
# Enable automatic updates
sudo systemctl enable --now yum-cron
Fail2Ban Protection
Install Fail2Ban to automatically block repeated failed login attempts:
# Install Fail2Ban
sudo apt install fail2ban # Ubuntu/Debian
sudo yum install fail2ban # RHEL/CentOS
# Start and enable
sudo systemctl enable --now fail2ban
Create a jail for BugPin (optional - if you want to monitor BugPin logs):
# Create custom jail
sudo nano /etc/fail2ban/jail.local
[bugpin]
enabled = true
port = 80,443
filter = bugpin
logpath = /var/log/bugpin/access.log
maxretry = 5
bantime = 3600
Disable Unnecessary Services
Reduce attack surface by disabling services you don't need:
# List running services
systemctl list-unit-files --state=enabled
# Disable unnecessary services (example)
sudo systemctl disable bluetooth
sudo systemctl disable cups
Consider using a minimal OS installation with only essential packages. Fewer packages means fewer potential vulnerabilities.
Regular Maintenance
Establish a regular maintenance schedule to keep your BugPin installation secure.
Update BugPin
Keep BugPin updated to receive security patches and bug fixes:
Docker:
# Pull latest image
docker pull registry.arantic.cloud/bugpin/bugpin:latest
# Recreate container
docker compose down
docker compose up -d
Bun:
# Pull latest code
git pull origin main
# Restart service
sudo systemctl restart bugpin
Review Logs
Periodically check logs for suspicious activity:
# Docker logs
docker logs bugpin --tail 100
# System logs for failed login attempts
sudo journalctl -u bugpin -n 100
Look for:
- Repeated failed login attempts
- Unusual API access patterns
- Error spikes
Credential Rotation
Periodically rotate sensitive credentials:
-
API Keys: Regenerate API keys for projects (especially if they may have been exposed)
- Navigate to Projects → Select project → Regenerate API Key
-
User Passwords: Encourage users to change passwords regularly
- Navigate to Settings → Users → Select user → Reset Password
-
Session Secret: Regenerate if compromised (requires all users to log in again)
- Delete
/data/.secretfile and restart BugPin
- Delete
User Account Audit
Regularly review and clean up user accounts:
- Navigate to Settings → Users
- Review active users
- Remove accounts for users who no longer need access
- Verify user roles are appropriate (principle of least privilege)
Next Steps
- Security Settings - Configure security options in the admin UI
- Security Overview - Learn about built-in security features
- Monitoring & Logging - Set up comprehensive logging