Installing Ghost on Ubuntu, Nignx and MySQL - Part 2
In continuation of Installing Ghost on Ubuntu, Nignx and MySQL - Part 1
Now that you have secured your SSH connections, it is time to put up a firewall to secure all inbound network traffic.
Configuring UFW
Step: Install UFW (Uncomplicated firewall - not complicated at all, promise)
sudo apt-get update
sudo apt-get install ufw
Step: Add rules to allow inbound SSH (custom we configured previously) and HTTP (on port 80) traffic.
sudo ufw allow http
sudo ufw allow <your custom SSH port configured previously>
Step: Enable UFW and check status
sudo ufw enable
sudo ufw status verbose
You can check if your firewall is blocking other ports except SSH custom port and HTTP 80 using PortQryUI on windows or just telnet on windows using Telnet client feature or linux sudo apt-get install telnet
(just to be sure).
Also you can disable serving ping request (ICMP) on your droplet by
sudo nano /etc/ufw/before.rules
find the following lines
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
comment the following lines and save the file (Ctrl + x > Y > Enter).
Note: I had some issue related to not finding IP Tables while setting up UFW on Ubuntu 12.10 x64 in DigitalOcean droplet.
Few resolution if you find yourself facing similar situation.
Secure shared memory (Optional)
Step: Shared memory can be used in an attack against a running service (like Nignx in our case, I guess o.O)
sudo nano /etc/fstab
Go to to end of file and add the following line:
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0
This will mount /run/shm writable, but without permission to execute programs, without permission to change the UID of running programs, or to create block or character devices in the namespace.
Step: Reboot your droplet so that following changes can take effect or remount /run/shm using following command:
sudo reboot
OR
sudo mount -o remount /run/shm
Note: You can skip this step if you are not completely sure or you get stuck due to this.
No SU for non-admin users
Step: Stop / deny su
access to non-admin user, use following command:
sudo groupadd admin
sudo usermod -a -G admin <admin username / demoghost>
sudo dpkg-statoverride --update --add root admin 4750 /bin/su
Secure your network configuration with sysctl
settings (Optional)
Step: Go to /etc/sysctl.d
if directory exist and find file 10-network-security.conf
if yes print output of this file:
cat /etc/sysctl.d/10-network-security.conf
Find below three lines:
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_syncookies=1
Note: Ordering doesn't matter.
If above three lines are present in 10-network-security.conf
then remove the same from below block of code.
Step: Open sysctl
configuration
sudo nano /etc/sysctl.conf
Step: Remove any existing content (except the one that refer to Digialocean settings) and paste following block of code
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1
Step: Save the changes (Ctrl + x > Y > Enter) and reload sysctl
so this changes can take effect
sudo sysctl -p
Prevent IP Spoofing
Step: Edit host configuration
sudo nano /etc/host.conf
Step: Add if line does not exist or edit as below if already present
order bind,hosts
nospoof on
Now this droplet has few basic security measures taken care of.
Proceed to Part 3 of Installing Ghost on Ubuntu, Nignx and MySQL