Installing Ghost on Ubuntu, Nignx and MySQL - Part 2

In continuation of Installing Ghost on Ubuntu, Nignx and MySQL - Part 1

Now that you have secured your SSH connections, it is time to put up a firewall to secure all inbound network traffic.

Configuring UFW

Step: Install UFW (Uncomplicated firewall - not complicated at all, promise)

sudo apt-get update
sudo apt-get install ufw

Step: Add rules to allow inbound SSH (custom we configured previously) and HTTP (on port 80) traffic.

sudo ufw allow http
sudo ufw allow <your custom SSH port configured previously>

Step: Enable UFW and check status

sudo ufw enable
sudo ufw status verbose

You can check if your firewall is blocking other ports except SSH custom port and HTTP 80 using PortQryUI on windows or just telnet on windows using Telnet client feature or linux sudo apt-get install telnet (just to be sure).

Also you can disable serving ping request (ICMP) on your droplet by

sudo nano /etc/ufw/before.rules

find the following lines

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

comment the following lines and save the file (Ctrl + x > Y > Enter).

Note: I had some issue related to not finding IP Tables while setting up UFW on Ubuntu 12.10 x64 in DigitalOcean droplet.

Few resolution if you find yourself facing similar situation.

Secure shared memory (Optional)

Step: Shared memory can be used in an attack against a running service (like Nignx in our case, I guess o.O)

sudo nano /etc/fstab

Go to to end of file and add the following line:

none	/run/shm	tmpfs	rw,noexec,nosuid,nodev	0	0

This will mount /run/shm writable, but without permission to execute programs, without permission to change the UID of running programs, or to create block or character devices in the namespace.

Step: Reboot your droplet so that following changes can take effect or remount /run/shm using following command:

sudo reboot
OR
sudo mount -o remount /run/shm

Note: You can skip this step if you are not completely sure or you get stuck due to this.

No SU for non-admin users

Step: Stop / deny su access to non-admin user, use following command:

sudo groupadd admin
sudo usermod -a -G admin <admin username / demoghost>
sudo dpkg-statoverride --update --add root admin 4750 /bin/su

Secure your network configuration with sysctl settings (Optional)

Step: Go to /etc/sysctl.d if directory exist and find file 10-network-security.conf if yes print output of this file:

cat /etc/sysctl.d/10-network-security.conf

Find below three lines:

net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_syncookies=1

Note: Ordering doesn't matter.

If above three lines are present in 10-network-security.conf then remove the same from below block of code.

Step: Open sysctl configuration

sudo nano /etc/sysctl.conf

Step: Remove any existing content (except the one that refer to Digialocean settings) and paste following block of code

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0 
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

Step: Save the changes (Ctrl + x > Y > Enter) and reload sysctl so this changes can take effect

sudo sysctl -p

Prevent IP Spoofing

Step: Edit host configuration

sudo nano /etc/host.conf

Step: Add if line does not exist or edit as below if already present

order bind,hosts
nospoof on

Now this droplet has few basic security measures taken care of.

Proceed to Part 3 of Installing Ghost on Ubuntu, Nignx and MySQL