Previously we have shown how to host Wordpress site on multiple Digital Ocean droplets and use NFS for Shared Content storage and Digital Ocean Load Balancer to access the site, these tutorials can be found here, here and here.
The last tutorials did not mention anything about securing our infrastructure, we only wanted to have a Wordpress site up and running minimally, now we will explore how to secure access to our resources using Digital Ocean Firewall service.
What will we do?
This tutorial assumes you have completed the setup as described here.
In this tutorial you will
- Learn about Digital Ocean Firewall service and its uses.
- Use Digital Ocean Firewall service to add firewalls and apply them on Droplets.
- Secure NFS server using Cloud Firewalls
- Protect your FTP server using fail2ban.
Digital Ocean Firewalls
Firewall is a Digital Ocean Networking service, it can be used to restrict access to Droplets and Load Balancers using only the open ports, it makes it a lot easier to manage firewalls using this service because errors can be fixed easily, while if you manage firewalls manually on droplets you might lock your droplet in and need to reboot it or login via console to restore access.
Each firewall consists of these attributes:
- Inbound Rules: These rules apply for the traffic that enters the firewall,
in these rules we specify the allowed traffic, any traffic that does not
match is not allowed in, each rule has these attributes:
- Protocol: This specifies the protocol used for trafic it could be “tcp”, “udp” or “icmp”.
- Ports: Here we specify a port or range of ports for the allowed traffic, “80” means port 80 only, “1000-2000” means ports from 1000 to 2000 only.
- Sources: This is an object that specifies the allowed sources in, we will talk more about this object later on.
- Outbound Rules: These rules are applied for traffic that leaves the firewall, we specify allowed traffic out only and any other traffic is not allowed, each rule has Protocol and Ports just as Inbound Rules with a destinations object that specifies allowed destinations only.
In the sources and destinations attributes we have an object that specifies allowed locations (source or destination), there are 4 ways to specify these locations as follows:
- IP addresses: We can specify IP address in CIDR notation to allow traffic from or to this IP.
- Droplets: We can use the names of Droplets to allow traffic from or to Droplets by name.
- Droplet tags: We can use the tags applied to droplets here which means any droplet tagged with this tag will be allowed.
- Load Balancers: we can use the IDs of load balances here to allow traffic from or to a load balancer.
In the following screenshot we can see the Firewall creation page with all previous attributes.
By default we have one inbound rule to allow SSH traffic in, three outbound
rules to allow all kinds of traffic out (tcp, udp and icmp).
We need to add two inbound rules, one for allowing HTTP traffic in on port 80
from the load balancer only and the other is to allow FTP traffic in on port 21
from all IP addresses then we need to specify the name of the firewall then
Create Firewall button.
Apply firewall to droplets
Now after we created the firewall, we can see that the firewall’s page, Droplets
tab is empty, as this firewall is not assigned any droplets to it, to assign
droplets to it click
Add Droplets button, here you can select droplets by name
or by tag, as shown in the screenshot.
Secure NFS server using Cloud Firewalls
Now we still have the NFS server without any firewall, externally we only need to expose the SSH port so we can connect to the server remotely, however NFS server uses many ports to serve its clients, we need to specify which ports are used by NFS server and allow access to these ports from Wordpress droplets only.
Login to the NFS droplet and open this file
for this line and change it as follows
STATDOPTS="--port 32765 --outgoing-port 32766"
This will tell the statsd RPC daemon to use ports 32765 and 32766 to serve clients, this daemon is used by NFS server.
Open this file
/etc/default/nfs-kernel-server and look for this line
and change it as follows
RPCMOUNTDOPTS="--manage-gids -p 32767"
This will tell the mountd RPC daemon to use port 32767 when listening to client requests.
Now create this file
/etc/default/quota and add this content to it
This port will be used by quotad RPC daemon.
Finally create this file
/etc/sysctl.d/nfs-static-ports.conf and add this
content to it
fs.nfs.nfs_callback_tcpport = 32764 fs.nfs.nlm_tcpport = 32768 fs.nfs.nlm_udpport = 32768
Apply the last changes and restart NFS with these commands
sysctl --system systemctl restart nfs-kernel-server
After all of this is done, we can create the firewall for NFS server, allowing these ports in:
- Port 22 from all IPs for SSH.
- Port 2049 (tcp and udp) from Wordpress droplets.
- Port 111 (tcp and udp) from Wordpress droplets.
- Ports [32764-32769] (tcp and udp) from Wordpress droplets.
This screenshot shows the required configuration
Protect FTP using fail2ban
fail2ban is a software that can be used to ban IP addresses based on their behavior when trying to connect to our server, for example if someone tries to guess the password for FTP user using brute-force or using multiple failed attempts we must ban this IP and this is done automatically by fail2ban.
To install fail2ban use this simple command on the wordpress droplet where FTP is installed
apt install fail2ban -y
After fail2ban is installed copy its main configuration file using this command
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open the new file and look for this section
[vsftpd] then add this line
[vsftpd] # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats port = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s enabled = true
After you change the file restart fail2ban server to apply new changes using this command
Make sure changes are applied with this command
It should output something like this
Status |- Number of jail: 2 `- Jail list: sshd, vsftpd
Which means that SSH and VSFTPD jails are enabled, SSH was enabled by default.
Now if you try to access your FTP server using wrong username/password
multiple times you will get banned from connecting and get
You can also secure access to your Droplets using OpenVPN access server as described here, this method allows us to completely hide our droplets from the public internet and access them securely from the OpenVPN server by using their private IP addresses.
In this tutorial we learned how to secure your wordpress setup using Digital Ocean firewalls, this included applying firewalls to Wordpress droplets to allow HTTP traffic to it from the Load Balancer only, we also applied the right firewall rules to protect nfs server from accessing it outside the Wordpress droplets and finally we used fail2ban to protect our public FTP server.
I hope you find the content useful for any comments or questions you can contact me on my email address firstname.lastname@example.org
Stay tuned for more articles. :) :)