Hardening the LiquidFiles virtual appliance
LiquidFiles aims to be secure on default, and it is. And there are a couple of things you can do to improve the security on your LiquidFiles system.
Add an Ubuntu Pro License
If you're interested in security or compliance, we recommend that you sign up for and enable an Ubuntu Pro license to enable commercial support from Ubuntu as well as additional security mesures for compliance with certifications such as: DISA-STIG, FedRamp, NIST, Sarbanes-Oxley (SOX), HIPAA, FISMA, Center for Internet Security (CIS), Common Criteria, PCI, ISO 27001, FIPS 140 and Cyber Essentials.
Use Public Hostname in URLs
We recommend that you set the setting Use Public Hostname in URLs in Admin → System → Hostname & URL. The reason this setting isn't set as default is that firstly it makes it impossible to use the Getting Started function in LiquidFiles before a proper Public Hostname has been configured and working in your environment. You also need to be careful with this setting if you use a reverse proxy as it may cause a redirect loop. Enabling this setting will improve security as it address a couple of low risk vulnerabilities, Host Header Injection, and Leaking Private IP Address.
Defaults or Recommendations that sometimes gets changed
Automatic Updates
The default setting is that Automatic Updates are enabled, and we recommend that you keep it that way.
Some organizations think it will improve security if they manually test each release themselves before enabling it. This is good in both theory and practice if you are one of those rare organizations that call pull this off consistently. More often than not though, we come across systems that hasn't been updated in 3 years because of this belief but where the practice doesn't follow and since often LiquidFiles systems "just work", it never gets looked at and therefore never updated. Unless you have the discipline to actually do this consistently, security will be much improved if you keep automatic updates enabled.
Reverse Proxy using http
Some people still believe that performance will improve using "SSL Offloading" to a reverse proxy. On modern system using modern technologies, this just isn't true any more. Modern CPU has been optimized for chryptographic calculations and with HTTP/2 (only available over https) it will reuse connections making SSL/TLS renegotiations much less frequent so with a modern system like LiquidFiles, performance will almost certainly be improved if you use https.
Also, without the setting Force HTTPs in Admin → System → Hostname & URL, it's not possible to enable Secure Cookies and HSTS. So for both security and performance reasons, we recommend using https when using reverse proxies.
Sign Up for the LiquidFiles Maillist
We have a low volume Mailist where we mainly announce primarily version updates. Should there be any important updates that we need to announce, the Maillist will be the fastest and easiest way for you to learn update such updates from us.
Admin Security
Admin Networks
If you can, you can limit the networks Administrators can access both the web interface and the SSH Admin interface. The Admin web interface limit is configured in Admin → Configuration → Settings, in the Advanced tab. The SSH Admin access limit is configured in Admin → System → Console.
Sysadmin Access
We've lost count many times over the amount of support requests we get along the lines of — we've made some change with our Active Directory and now no one, including no administrators can login to LiquidFiles. While you can either add a new locally authenticated Sysadmin account by logging in to the console and run ft add_admin, or ft reset_admin to reset the first sysadmin account. The easiest way by far is to ensure you have at least one Sysadmin account that can access LiquidFiles that does not rely on any external authentication mechanism so you can login and start troubleshooting.
Multi-Factor Authentication
For day-to-day admin accounts, it's a good idea to enable one of the Multi-Factor Autentication mechanisms in LiquidFiles.
Conclusion
As you can see, there's not a lot of things to be done to a default LiquidFiles system. And if you follow these steps, you can still improve security for your system.