Introduction
This article covers best-practice configuration items to harden the security of your LogonBox server.
Whilst our servers are secure by default, there are some extra practical steps that you can follow below to further harden your server by:
- Reducing the attack surface by disabling features you are not using
- Having strong authentication on your logins
- Using IP Georestrictions or direct IP blocking
- Ensure your users are not using passwords that are leaked on third-party sites
- Preventing access to the underlying operating system
- Keep your OS up to date
1. Remove features that are not used
Once you have your LogonBox server configured the way you need it, take a look at which features you are using, then remove or disable any you will not be using.
Please refer to this LogonBox Installable Features article for a full list of installable LogonBox features, what they do, and whether they can be removed.
You can see what features you have installed by navigating to Updates, Features & Licensing.
You have two options available here:
- You can disable a feature by turning the extension off with the switch on the left side. This can be useful if you want to temporarily disable a feature you might later use.
- Or you can just delete the feature by clicking the trash icon on the right. This makes the UI cleaner and easier to see which features you are running.
If you delete a feature, you can still reinstall it at any time from the category tabs on this page.
Note: You must restart your LogonBox service after disabling or deleting an extension for it to remove that feature.
Removing a feature will also have the added benefit of a slightly faster server startup time.
Suggested course of action
It might be a little overwhelming to see the number of features that are available, so as a quick example, consider the following:
Concentrate initially on Directories and Authentication. If you're connected to an AD, then you can remove Azure, Google, LDAP or SSH directories.
Once you have your authentication configured, remove any of the other authentication modules. The installable features document linked above groups all features by type to make it easier to navigate.
2. Two-factor authentication
Adding a second factor for your admin user authentication would be a good next step.
Please review this article for more information on further securing admin UI access.
User Selective 2FA is a good option if you want to give your users a choice of authentication methods.
3. Georestricting IPs
It's possible in LogonBox to do Geolocation of incoming user connections and either allow or disallow access based on the country of origin.
If you wish to look into this, please refer to this Geolocation article.
Note: This requires an API key from https://ipstack.com/
It is also possible to restrict by IP addresses and CIDR ranges using LogonBox's IP Restrictions feature.
4. Enforcing password breach checking
LogonBox comes preconfigured to use the Have I Been Pwned service for external password breach checking.
This feature has 2 modes: It can check for breached passwords only on a password reset (enabled by default), or it can check on any authentication to the LogonBox server.
Please refer to this article for more information.
5. Preventing local OS access
The first time you access the console after deploying your LogonBox server, you should have been prompted to set a password for the Operating System's root user account.
If you did not do this at deployment time, open the console and do so now.
SSH access to the server is disabled by default, but on older systems, this used to be enabled, so you may wish to stop and disable the SSH service.
You can do this from VMCentre on the console. Navigate to the Services menu and stop the SSH service if it's started.
You can click on the gear icon to choose not to start this service on boot.
If SSH access to your server is required, consider setting up SSH Key Authentication instead and disabling password access for the root account.
6. Keep your Operating System up to date
The LogonBox VMs run on Debian Linux.
Ensure that your OS packages are fully up to date by running the following commands from a terminal on the console:
apt update
apt upgrade
Debian runs a Long Term Support cycle. Check which version of Debian your system is running with the command cat /etc/debian_version.
Refer to this page to check if your current OS version is still within the LTS schedule.
If your OS is on an older release, we recommend upgrading to a newer release so that its packages remain covered by security patches.
It is recommended to upgrade Debian one release at a time for maximum success.
LogonBox images currently ship on Debian 12, which is supported until June 2028.
We have step-by-step instructions available for upgrading Debian on a LogonBox image:
