Securing Nexus Repository Manager
Below are a few suggestions for making your Nexus Repository Manager (NXRM) instance more secure.
Limit IPs that can be reached from your NXRM host
NXRM can be configured by an administrator to contact internal and external IPs for various reasons such as retrieving certificates, creating proxy repositories, dispatching events to remote URLs and so on. You may limit the IPs that can be reached from the host machine running your NXRM instance but note that doing so could block the main use case for some features. For example, webhooks give administrators a way of integrating NXRM with other systems (e.g an auditing system, another NXRM instance, or a lightweight listener potentially on the same host), typically in the same data center. Hence, limiting webhook destinations to, for example, IPs external to your data center effectively blocks the main use case for them.
Privileges and service account
- Only assign the least necessary privileges to NXRM users.
- Create a dedicated operating system service account for running NXRM - do not run as the root user. In addition, the service account must have read/write permissions to the
$install-dirand sonatype-work directories and must be able to create a valid shell. Please see here for detailed operating system service account recommendations.
Running NXRM in a Docker container may reduce the impact of a successful attack. Without containerisation, if a malicious person succesfully exploits a service and gains root access, they could do damage to other services running on the host. On the other hand, containerising means a succesful attack on that service is restricted to the container running that service. The NXRM3 docker images can be found at: https://hub.docker.com/r/sonatype/nexus3/.