09 Security Best Practices

Security Best Practices

1) Control-plane access policy

Use per-user IP policy in Users:

• define IP Access CIDRs for each admin/operator account that needs restricted source ranges
• use Disable IP check only when explicitly required and only with MFA-enabled user accounts
• keep the admin bind endpoint internal when possible

MFA coupling rule:

• Disable IP check is rejected by backend validation if MFA is not enabled for that user.
• Resetting user MFA automatically re-enables IP checks for that account.

Optional runtime baseline:

• DOMNEX_ADMIN_ALLOWED_CIDRS can still be used as fallback baseline policy
• if a user has explicit CIDRs configured in Web UI, user-level policy takes precedence

2) Expose only required ports

• Public web entry: 80 and 443
• Admin UI/API port: keep LAN-only or tightly filtered (for example 8443)
• Optional SSH Bastion: expose only one dedicated bastion port (for example 2222) instead of exposing many host SSH ports

3) Authentication and credentials

• Use long random passwords
• Rotate API tokens regularly
• Never share credentials/tokens in chat, screenshots, or issue tickets
• Prefer dedicated user accounts over shared admin credentials
• Enforce MFA by role using Settings -> MFA
• Store and protect recovery codes offline

Break-glass recovery (local only):

• If an admin account is locked out by MFA misconfiguration, use local shell:
  • domnexdomain mfa-reset <username>
• This is audited as a break-glass security event.

Login flow sensitivity notes:

• staged login data is TTL-bounded in process memory
• staged password is not persisted to disk
• staged secret is discarded on completion or invalidation
• staged flow is source-IP and stage bound

4) Least privilege and role design

• Use read-only for auditors/observers
• Use domain-admin for scoped operational ownership
• Reserve global admin for platform owners
• Grant minimal token scopes for automation

5) Upstream transport security

• Use internal TLS when possible
• Use No TLS Verify only when technically unavoidable (for example temporary self-signed transition)
• Revisit and remove No TLS Verify once proper cert chain is available

6) Observe and respond quickly

• Monitor failed login events and unusual source IP patterns
• Investigate unexpected config changes immediately
• Track recurring proxy.waf.* and threatintel.* activity in Strategic Intel

7) WAF baseline behavior (temporary by design)

DomNexDomain WAF baseline mitigates unknown-host flood patterns.

• Temporary block window: 15 minutes
• Auditable actions:
  • proxy.waf.temp_block.set
  • proxy.waf.temp_block.hit
• No permanent auto-ban in baseline WAF path

8) Threat Intel behavior (allowlist-first)

Threat Intel modes:

• Monitor only: classify and learn (XP/Level/Tier) without auto-enforcement
• Auto mode: soft/hard enforcement according to policy thresholds

Feed opt-in behavior:

• Feeds are backend intelligence, not immediate block material
• Feed-listed IPs are enforced only when they actually send traffic
• First contact from a feed-listed or signature-matched source is raised into the watched band (Level 3) instead of direct hard block

Policy precedence:

1. allowlist override
2. mode + thresholds
3. enforcement output

Determinism note:

• edge request handling is short-circuiting and deterministic; first terminal security decision ends evaluation.

9) Hard-block semantics

• Hard-blocked sources are edge-dropped (proxy.block.hard_drop)
• No rendered content is sent to blocked scanners
• Hard-block lifecycle is bounded:
  • after long inactivity, hard-block state transitions into watch state
  • normal decay/rehabilitation continues from there

10) GeoIP runtime asset hygiene

• GeoIP source files are runtime data, not source code.
• Never commit source datasets (.mmdb, .csv, .gz, .zip) to git.
• Use DomNex source-pool and compiled output paths:
  • /var/lib/domnexdomain/geoip-sources
  • /var/lib/domnexdomain/geoip-compiled/domnex-country.mmdb
• Use Settings -> GeoIP Sources for controlled uploads and compile visibility.
• Free sources:
  • https://download.ip2location.com/lite/
  • https://db-ip.com/db/download/ip-to-country-lite
• Keep multiple high-quality sources to reduce unknown-country (ZZ) rates.

11) Incident response with trace IDs

Smart edge error pages expose a trace ID directly to the requester.

Use it as your primary correlation key:

1. Copy trace ID from error page.
2. Open Strategic Intel -> Investigations.
3. Search/pivot trace ID with broad filters first.
4. Narrow by namespace/action/source for root cause.

12) Enforce retention policy

• Configure retention in Settings -> Advanced and keep it explicit.
• Do not run with unlimited audit/traffic/threat history.
• Validate periodic purge execution through retention.purge events in Strategic Intel -> Events.
• Keep backup retention aligned with database retention.