Network Security
- Network Security
This article details the essential network security configurations for a MediaWiki 1.40 installation. Properly securing your MediaWiki instance is crucial to protect against unauthorized access, data breaches, and denial-of-service attacks. This guide assumes you have a basic understanding of networking concepts. We will cover firewall configuration, reverse proxies, and SSL/TLS setup. Refer to Special:MyUserPage for contact information if you need assistance.
1. Firewall Configuration
A firewall is your first line of defense. It controls network traffic, blocking unwanted connections and allowing only necessary ones. The specific firewall configuration will depend on your operating system (e.g., Linux, Windows Server). Here’s a general overview.
| Port | Protocol | Description | Status (Example) |
|---|---|---|---|
| 80 | TCP | HTTP (Unencrypted Web Access) | Blocked - Redirect to HTTPS |
| 443 | TCP | HTTPS (Encrypted Web Access) | Allowed |
| 22 | TCP | SSH (Remote Administration) | Restricted to specific IPs |
| 3306 | TCP | MySQL/MariaDB (Database Access) | Allowed from Web Server only |
| 53 | UDP | DNS | Allowed (Outbound) |
- **Restricting SSH Access:** Limit SSH access to specific IP addresses or networks. Consider using key-based authentication instead of passwords for added security.
- **Database Firewall:** Ensure that only the web server can connect to the database server. Do *not* expose the database directly to the internet.
- **Regular Updates:** Keep your firewall software up-to-date to protect against newly discovered vulnerabilities. See Manual:Upgrading MediaWiki for general upgrade guides.
2. Reverse Proxy Configuration
A reverse proxy (e.g., Apache, Nginx) sits in front of your MediaWiki installation and handles incoming requests. This offers several benefits:
- **SSL/TLS Termination:** The reverse proxy can handle the encryption/decryption, reducing the load on the MediaWiki server.
- **Load Balancing:** Distribute traffic across multiple MediaWiki servers for improved performance and availability.
- **Security:** Hide the internal structure of your MediaWiki installation.
- **Caching:** Improve performance by caching frequently accessed content.
Here's a simplified example of an Nginx configuration snippet:
```nginx server {
listen 443 ssl; server_name example.com;
ssl_certificate /path/to/your/certificate.pem; ssl_certificate_key /path/to/your/private.key;
location / {
proxy_pass http://localhost:8080; # Assuming MediaWiki runs on port 8080
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
} ```
Refer to the documentation for your chosen reverse proxy for detailed configuration instructions. See Help:Reverse proxy for more information.
3. SSL/TLS Configuration
SSL/TLS encrypts the communication between the client (browser) and the server, protecting sensitive data like passwords and cookies.
| Parameter | Value | Recommendation |
|---|---|---|
| Certificate Authority (CA) | Let's Encrypt, Comodo, DigiCert | Use a trusted CA |
| Certificate Type | Domain Validated (DV), Organization Validated (OV), Extended Validation (EV) | OV or EV for higher trust |
| Cipher Suites | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, etc. | Configure strong cipher suites |
| Protocol | TLS 1.2, TLS 1.3 | Disable older protocols (SSLv3, TLS 1.0, TLS 1.1) |
- **Obtain a Certificate:** You can obtain a free certificate from Let's Encrypt.
- **Configure the Web Server:** Configure your web server (or reverse proxy) to use the certificate.
- **Force HTTPS:** Redirect all HTTP traffic to HTTPS. See Manual:Configuration settings for details on `$wgEnableHTTPS`.
- **HSTS (HTTP Strict Transport Security):** Enable HSTS to tell browsers to always use HTTPS for your site. This prevents man-in-the-middle attacks.
4. Additional Security Measures
- **Regular Backups:** Create regular backups of your MediaWiki database and files. See Manual:Backups for guidance.
- **Strong Passwords:** Enforce strong password policies for all user accounts. Consider using OAuth for authentication.
- **Keep MediaWiki Updated:** Regularly update MediaWiki to the latest version to patch security vulnerabilities. See Manual:Upgrading MediaWiki.
- **Limit File Uploads:** Restrict file uploads to authorized users and scan uploaded files for malware. See Manual:Configuring file uploads.
- **Monitor Logs:** Regularly monitor your server logs for suspicious activity. Special:Log provides access to various logs.
- **Disable Unused Extensions:** Disable any MediaWiki extensions you are not using. These can represent potential security risks. See Extension:Extension list for details.
5. Server Hardening
The underlying operating system also needs to be secured.
| Setting | Linux | Windows Server |
|---|---|---|
| Kernel Updates | `apt update && apt upgrade` (Debian/Ubuntu) / `yum update` (CentOS/RHEL) | Windows Update |
| Unnecessary Services | Disable with `systemctl disable <service>` | Disable through Services Manager |
| User Accounts | Limit sudo access, use strong passwords | Limit administrative access, use strong passwords |
| File Permissions | Set appropriate file permissions (e.g., 644 for files, 755 for directories) | Use NTFS permissions to restrict access |
This article provides a foundation for securing your MediaWiki installation. Continuously review and update your security measures to stay ahead of emerging threats. Consult the MediaWiki security documentation for more detailed information. See also Help:Security issues for common problems and solutions.
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️