Does MUP include basic security?

SkinnyGeek1010 · December 29, 2015, 12:42am

I’m having trouble finding what MUP installs for you when it’s setup. Sifting through the source code it doesn’t seem like a firewall is setup (which is fine but I couldn’t find any docs either way).

My plan for a new Digital Ocean box was to:

apt-get update
apt-get upgrade

# prevent bruteforce on SSH
apt-get install fail2ban

# setup firewall
ufw allow 22
ufw allow 80
ufw allow 443
ufw enable

Thoughts? Any improvements I can make?

jacobin · December 29, 2015, 1:24am

Always change the default port for ssh. Seems to cut down chinese sourced spam in the logs. Generating a key isn’t all that difficult either and is preferable to entering a password.

I also disable root login and restrict sudo to a defined admin group then work my way through things like SYN and ICMP in /etc/sysctl.conf. However as your question is firewall related the above and most of the rest that I would suggest is out of scope.

SkinnyGeek1010 · December 29, 2015, 2:03am

This is great, thanks!!

I think we’re on the same page so far. I’ve disabled root SSH access and only a deploy user can login via keys and the sudo password is a long passphrase.

I haven’t looked into hardening /etc/sysctl.conf but am looking into it! Def. in scope! I’ve only dabbled in DevOps and know just enough to get myself in trouble

Do you use unattended-upgrades for security updates?

arunoda · December 29, 2015, 2:40am

Mup doesn’t do firewall stuff. We normally recommend to hosting a single meteor app on server.

We do stuffs to make it secure. Like stepping down user permissions. But if you host other apps it’s a good idea to use a firewall. Anyway, that’s a good idea anyway.

Fortunately, if you are using EC2 or Google Cloud firewall is enable by default. I hope digital ocean will have it soon.

benjamin79 · December 29, 2015, 9:40am

I don´t know about Digital Ocean, but aws offers using hardware based toked for authentication. I would recommend using a two factor based authentication.

jacobin · December 29, 2015, 10:28am

Make sure your iptables have a deny at the end of the chain.
use nmap to look for things you might have missed.
always use non-standard ports, not just for ssh but for databases (Navicat!) and anything else you might access remotely.
Don’t just rely upon fail2ban, scan /var/log daily.

As for detailed instructions there are dozens of guides on hardening linux if you google about. They differ slightly in terms of what distro you use, but not by much.

https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics

I generally start with Centos base and install what I need by hand. I find more comfort in that than trying to remove all the junk, usually outdated, that comes with the other installs like server/desktop.

I also tend to hate SELinux and disable it. It seemingly breaks everything.