GreenRADIUS Security Recommendations and Considerations

The following items are recommendations to consider to help secure your GreenRADIUS instances.

1. Change default passwords
   • Web admin interface (change for both default users root and gradmin)
   • Command line (change for the gradmin user)
     • Note: The passwords for web admin interface users and command line users are managed separately, so be sure to change the default passwords for both
2. Enforce two-factor authentication for GreenRADIUS admin accounts
   • On the web admin interface, 2FA can be enforced a couple of ways:
     • Using the native 2FA capabilities with Google Authenticator
     • Using an LDAP user’s LDAP credentials plus assigned token
3. Replace the default self-signed certificate with a certificate signed by a trusted CA
   • See our Certificates guide
4. Restrict web admin interface access by IP address
   • Webmin > Webmin Configuration > IP Access Control
     • IMPORTANT NOTE: If this is configured, 127.0.0.1 must be included in the list of IP addresses
5. Enable the UFW (onboard firewall) and set policies to restrict access (if an external firewall will not be used)
6. If the onboard OpenLDAP nor the LDAP Authenticator Module will not be used, use a docker-compose-override file to prevent the OpenLDAP container from starting up
7. Enable encryption of token secrets prior to importing or registering any tokens
   • Global Configuration tab > General
8. If the YubiCloud will be used to validate YubiKey OTPs (instead of validating locally within GreenRADIUS), obtain a new Client ID and API Key from the Yubico site
   • Set in Global Configuration tab > Validation Server
9. Set strong shared secrets when configuring RADIUS and ADFS clients
10. Enable auto-logout after a certain period of inactivity in the web admin interface
    • Webmin > Webmin Configuration > Authentication
11. Enable blocking of user accounts to prevent brute force attacks
12. Make sure to apply the GreenRADIUS updates timely