Secure Operation
To ensure proper and safe operation of the IACBOX it is necessary to keep a couple of factors in mind.
In this section of the manual we take a look at all the little and all the great things that make operating the IACBOX more safe for everybody.
Deployment
We recommend to operate the IACBOX behind a Firewall at all times.
The required ports for smooth operation are:
| Port | Usage |
|---|---|
| 53 | DNS (Domain Name Service) |
| 123 | NTP (Network Time Protocol) - Time synchronization |
| 443 | HTTPS - License registration and update |
| 853 | Optional, if DoT DNS-over-TLS is in use (Domain Name Service) |
| 1194 | iacbox.cloud tunnel (only if active) |
| 5555 | Remote control for support |
If a public IP is being used for the IACBOX, activate the Management-LAN and deactivate the WebAdmin access on the Office-LAN(WAN).
This way the WebAdmin access is kept restricted to internal networks.
That does not mean, that the IACBOX cannot be administered remotely!
If you need Cloud Remote Access, connect your system to the iacbox.cloud, which allows to connect from anywhere to your system securely.
Access / Authentication
Change the password of the sysop user after the IACBOX has been installed for the first time.
Logging in with the sysop user and the sysop default password will redirect to the WebAdmin user account page where changing the password is possible.
Alternatively the Account page can be found by clicking on the User-Icon on the top right of the WebAdmin:
The same menu can be used to set up 2-Factor-Authentication to add an additional layer of security on WebAdmin logins.
WebAdmin User Permissions should also be inspected and configured according to requirements.
Least privileges
- Do not share the admin
sysopaccount with other users that don’t need to manage the whole system - Create separate, named WebAdmin users that have only the needed permissions
- When a WebAdmin user has a full name it’s easy to see who has done what in the logs later on.
Backup
Create regular backups either manually or automatically.
Automatic remote backups are strongly recommended ensure that data is backed up regularly and can be restored quickly in case of failure.
If you don’t want to deal with setting up and operating a backup server, simply connect your system to iacbox.cloud which gives you fully encrypted cloud backups.
Monitoring
- Monitor the system via SNMP.
- Monitor reachability and the number of current users online via Batch API.
Updates
Keep auto-updates switched on to receive regular security- and bugfixes.
The Online Update settings can be found in the WebAdmin System/Online update menu.
Interfacing /Backends
If any external backends are in use, take care that
- backends use a secure transport like TLS wherever possible
- login credentials or tokens are used to connect to those backends