In continuation of Installing Ghost on Ubuntu, Nignx and MySQL - Part 1
Now that you have secured your SSH connections, it is time to put up a firewall to secure all inbound network traffic.
Step: Install UFW (Uncomplicated firewall - not complicated at all, promise)
sudo apt-get update sudo apt-get install ufw
Step: Add rules to allow inbound SSH (custom we configured previously) and HTTP (on port 80) traffic.
sudo ufw allow http sudo ufw allow <your custom SSH port configured previously>
Step: Enable UFW and check status
sudo ufw enable sudo ufw status verbose
You can check if your firewall is blocking other ports except SSH custom port and HTTP 80 using PortQryUI on windows or just telnet on windows using Telnet client feature or linux
sudo apt-get install telnet (just to be sure).
Also you can disable serving ping request (ICMP) on your droplet by
sudo nano /etc/ufw/before.rules
find the following lines
# ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
comment the following lines and save the file (Ctrl + x > Y > Enter).
Note: I had some issue related to not finding IP Tables while setting up UFW on Ubuntu 12.10 x64 in DigitalOcean droplet.
Secure shared memory (Optional)
Step: Shared memory can be used in an attack against a running service (like Nignx in our case, I guess o.O)
sudo nano /etc/fstab
Go to to end of file and add the following line:
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0
This will mount /run/shm writable, but without permission to execute programs, without permission to change the UID of running programs, or to create block or character devices in the namespace.
Step: Reboot your droplet so that following changes can take effect or remount /run/shm using following command:
sudo reboot OR sudo mount -o remount /run/shm
Note: You can skip this step if you are not completely sure or you get stuck due to this.
No SU for non-admin users
Step: Stop / deny
su access to non-admin user, use following command:
sudo groupadd admin sudo usermod -a -G admin <admin username / demoghost> sudo dpkg-statoverride --update --add root admin 4750 /bin/su
Secure your network configuration with
sysctl settings (Optional)
Step: Go to
/etc/sysctl.d if directory exist and find file
10-network-security.conf if yes print output of this file:
Find below three lines:
net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 net.ipv4.tcp_syncookies=1
Note: Ordering doesn't matter.
If above three lines are present in
10-network-security.conf then remove the same from below block of code.
sudo nano /etc/sysctl.conf
Step: Remove any existing content (except the one that refer to Digialocean settings) and paste following block of code
# IP Spoofing protection net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Ignore ICMP broadcast requests net.ipv4.icmp_echo_ignore_broadcasts = 1 # Disable source packet routing net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Ignore send redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Block SYN attacks net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 # Log Martians net.ipv4.conf.all.log_martians = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Ignore Directed pings net.ipv4.icmp_echo_ignore_all = 1
Step: Save the changes (Ctrl + x > Y > Enter) and reload
sysctl so this changes can take effect
sudo sysctl -p
Prevent IP Spoofing
Step: Edit host configuration
sudo nano /etc/host.conf
Step: Add if line does not exist or edit as below if already present
order bind,hosts nospoof on
Now this droplet has few basic security measures taken care of.