Security
Post-installation security
1. Remove the install directory:
rm -rf /path/to/tirreno/install/ |
The install directory contains setup scripts that could be exploited if left accessible.
2. Set proper file permissions:
# Restrict config directory
chmod 750 config/
chmod 640 config/*.ini
# Restrict sensitive files
chmod 640 composer.json composer.lock
chmod 640 .htaccess
# Ensure logs are not world-readable
chmod 750 assets/logs/
# Make rules directories writable only by web server
chown -R www-data:www-data assets/rules/
chmod 755 assets/rules/core/ assets/rules/custom/ |
3. Verify .htaccess protection: Ensure your Apache configuration allows .htaccess overrides:
<Directory /path/to/tirreno>
AllowOverride All
Require all granted
</Directory> |
4. Verify settings file is inaccessible:
# Should return 403 Forbidden or 404 Not Found
curl -I https://your-tirreno.com/config/local/config.local.ini |
Network security
- Use HTTPS with valid SSL/TLS certificates (Let's Encrypt or commercial CA)
- Redirect all HTTP traffic to HTTPS and use HSTS headers
- Place tirreno in a private subnet; database should not be directly accessible from the internet
- For internal deployments, restrict sensor access to known IPs:
<Location /sensor/>
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location> |
Access control
1. Admin account security:
- Use strong, unique passwords
- Limit the number of admin accounts
- Review access logs regularly
2. Session management:
- Sessions expire after inactivity (default: 30 minutes)
- Sessions invalidated on password change
- Secure session cookies (HttpOnly, Secure, SameSite)
Monitoring and logging
1. Application log files:
tirreno writes logs to the assets/logs/ directory:
| Log file | Description |
|---|
error.log | Application errors and exceptions |
blacklist.log | Blacklist events — records when users are automatically blacklisted by rules |
sql.log | SQL queries (disabled by default, enable with PRINT_SQL_LOG_AFTER_EACH_SCRIPT_CALL = 1) |
Monitor blacklist.log to track automatic fraud detection:
tail -f assets/logs/blacklist.log |
2. Logbook (UI):
- Monitor the Logbook page for API request patterns
- Check failed events, verify your security settings
- Review error rates and unusual activity
3. Monitor for suspicious activity:
- Failed login attempts (brute force detection)
- Unusual API request patterns
- Error rate spikes
- Database query anomalies
4. Log retention:
- Retain logs for compliance requirements (typically 90 days to 1 year)
- Secure log storage (separate from application)
- Regular log review and alerting
Security checklist
Use this checklist for production deployments:
- [ ] Install directory removed
- [ ] File permissions restricted
- [ ] Settings file inaccessible from web
- [ ] Database user has minimal privileges
- [ ] HTTPS enforced with valid certificate
- [ ] Admin passwords strong and unique
- [ ] Logging enabled and monitored
- [ ] Error messages don't expose sensitive information
________________________________________________________________________________