Hardening Janus
280 views
Skip to first unread message
mic...@opensourceecology.org
May 16, 2018, 11:01:14 AM5/16/18
to meetecho-janus
Hello,
Is there any documentation regarding how to harden the Janus Gateway to security attacks?
In general, searching for "webrtc security" tends to get swamped with articles talking about how webrtc has built-in encryption for the content and signaling data in transit protecting the *client*. I couldn't find much on common security pitfalls in running a webrtc server, such as Janus.
Specifically, I'd like to know:
Is there any documentation regarding how to harden the Janus Gateway to security attacks?
In general, searching for "webrtc security" tends to get swamped with articles talking about how webrtc has built-in encryption for the content and signaling data in transit protecting the *client*. I couldn't find much on common security pitfalls in running a webrtc server, such as Janus.
Specifically, I'd like to know:
- What default configuration file options could be tweaked (or added to) to make the default install more secure.
- For me, I'm thinking of janus.cfg, janus.transport.http.cfg, and the various plugin config files (especially videoroom.cfg)
- What are the minimum necessary file permissions for the janus files and its dependency files?
- What user should janus run as? How should that user be created such that Janus' compromise would have a minimal impact on the server?
- What are the minimum necessary ports to open in our firewall?
- I'm especially thinking of udp ports for ice. Is there a security benefit to not opening all udp ports? Are the consequences to opening just one?
I think a "Security Best Practices" or "Hardening Janus" documentation page would be a great addition to this project's website :)
Thanks for all your hard work on this project!
Marshall Quander
May 16, 2018, 8:37:31 PM5/16/18
to meetecho-janus
A kind of simple suggestion would be to make sure you're not running plugins, transports, and event handlers you don't need -- by default it builds and loads all of them, but it's hard to imagine why you would want that.
Lorenzo Miniero
May 21, 2018, 10:16:25 AM5/21/18
to meetecho-janus
Most configuration files have comments explaining what you can tweak, and what they can help with, so I encourage you to go through those.
Janus can run as whatever user you want: it doesn't need root permissions at all, and I always run it with my own user for instance. Of course, this only works as long as it has read/write permissions where needed (e.g., to parse config files and update them when requested, or to save recordings).
As to the media ports, that depends. The less ports you open, the less PeerConnections you'll be able to have active at the same time, as each PC will need its own port for exchanging media with the peer.
Not planning on working on the documents you suggested, sorry: we're busy enough as we are, and that's a very generic title for what can have a ton of different approaches and solutions. Different plugins may have different requirements (e.g., how do I make sure only some people can create a room?), and so do different transports. We have different authentication mechanisms as well. Again, going through the configuration options is the easiest way to figure out this stuff.
L.
Reply all
Reply to author
Forward
0 new messages