Hardening - Operating System Recommendations
General hardening guidelines are outlined in the main hardening documentation.
You can configure the underlying operating system to increase overall security. In a a controlled environment such as a self-managed GitLab instance it requires additional steps, and in fact is often required for certain deployments. FedRAMP is an example of such a deployment.
SSH Client Configuration
For client access (either to the GitLab instance or to the underlying operating system), here are a couple of recommendations for SSH key generation. The first one is a typical SSH key:
ssh-keygen -a 64 -t ed25519 -f ~/.ssh/id_ed25519 -C "ED25519 Key"
For a FIPS-compliant SSH key, use the following:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -C "RSA FIPS-compliant Key"
SSH Server Configuration
At the operating system level, if you are allowing SSH access (typically through
OpenSSH), here is an example of configuration options for the
(the exact location may vary depending on the operating system but it is usually
# Example sshd config file. This supports public key authentication and
# turns off several potential security risk areas
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Protocol adjustments, these would be needed/recommended in a FIPS or
# FedRAMP deployment, and use only strong and proven algorithm choices
For firewall rules, only TCP ports
443 need to be open for basic usage. By
5050 is open for remote access to the container registry, however in a
hardened environment this would most likely exist on a different host, and in some
environments not open at all. Hence, the recommendation is for ports
only, and port
80 should only be used to redirect to
For a truly hardened or isolated environment such as FedRAMP, you should adjust the firewall rules to restrict all ports except to those networks
accessing it. For example, if the IP address is
192.168.1.2 and all of the authorized
clients are also on
192.168.1.0/24, restrict access to ports
443 to just
192.168.1.0/24 only (as a safety restriction), even if access is restricted
elsewhere with another firewall.
Ideally, if you're installing a self-managed instance, you should implement the firewall rules before the installation begins with access restricted to the admins and installers, and only add additional ranges of IP addresses for users after the instance is installed and properly hardened.
ufw is acceptable to implement and enforce port
access on a per-host basis, otherwise usage of cloud-based firewall rules through GCP
Google Compute or AWS Security Groups should enforce this. All other ports should
be blocked, or at least restricted to specific ranges. For more information on ports, see
It is possible that various services may be enabled that require external access (for example Sidekiq) and need network access to be opened up. Restrict these types of services to specific IP addresses, or a specific Class C. As a layered and added precaution, where possible restrict these extra services to specific nodes or sub-networks in GitLab.
Kernel adjustments can be made by editing
/etc/sysctl.conf, or one of the files in
/etc/sysctl.d/. Kernel adjustments do not completely eliminate the threat of an
attack, but add an extra layer of security. The following notes explain
some of the advantages for these adjustments.
## Kernel tweaks for sysctl.conf ##
## The following help mitigate out of bounds, null pointer dereference, heap and
## buffer overflow bugs, use-after-free etc from being exploited. It does not 100%
## fix the issues, but seriously hampers exploitation.
# Default is 65536, 4096 helps mitigate memory issues used in exploitation
# Default is 0, randomize virtual address space in memory, makes vuln exploitation
# Restrict kernel pointer access (for example, cat /proc/kallsyms) for exploit assistance
# Restrict verbose kernel errors in dmesg
# Restrict eBPF
# Prevent common use-after-free exploits
## Networking tweaks ##
## Prevent common attacks at the IP stack layer
# Prevent SYNFLOOD denial of service attacks
# Prevent time wait assassination attacks
# IP spoofing/source routing protection
# IP redirection protection