VPS Security Hardening
-
Hi,
I plan to do security hardening on the VPS that host the Cloudron.
And if below points can affect Cloudron:
- Disable root login and use sudo user login
- Change the ssh port
- Disable all ports except the ssh port with firewall (or any specific port that needs to be open for Cloudron to run? I.e. does http and https need to be open as well?)
- Kernel hardening
Thanks in advance
-
Hello @leemuljadi
It is honorable that you'd like to improve the security.@leemuljadi said in VPS Security Hardening:
Disable all ports except the ssh port with firewall (or any specific port that needs to be open for Cloudron to run? I.e. does http and https need to be open as well?)
Excuse me for being blunt.
If you have to ask such a question, you will do more damage and perhaps even create security risks.If you've not read it yet, Cloudron does quite a lot for security already:
https://docs.cloudron.io/security/The section about the firewall is here: https://docs.cloudron.io/security/#cloud-firewall
Regarding:
@leemuljadi said in VPS Security Hardening:
Disable root login and use sudo user login
and
@leemuljadi said in VPS Security Hardening:
Change the ssh port
There is a section specialized for that:
https://docs.cloudron.io/security/#securing-ssh-accessPerhaps reading up on that already answers a lot.
@leemuljadi said in VPS Security Hardening:
Kernel hardening
I'd never tinker with the kernel unless I know what I am doing.
And I can not claim I know enough to tinker with the kernel. -
Hello @leemuljadi
It is honorable that you'd like to improve the security.@leemuljadi said in VPS Security Hardening:
Disable all ports except the ssh port with firewall (or any specific port that needs to be open for Cloudron to run? I.e. does http and https need to be open as well?)
Excuse me for being blunt.
If you have to ask such a question, you will do more damage and perhaps even create security risks.If you've not read it yet, Cloudron does quite a lot for security already:
https://docs.cloudron.io/security/The section about the firewall is here: https://docs.cloudron.io/security/#cloud-firewall
Regarding:
@leemuljadi said in VPS Security Hardening:
Disable root login and use sudo user login
and
@leemuljadi said in VPS Security Hardening:
Change the ssh port
There is a section specialized for that:
https://docs.cloudron.io/security/#securing-ssh-accessPerhaps reading up on that already answers a lot.
@leemuljadi said in VPS Security Hardening:
Kernel hardening
I'd never tinker with the kernel unless I know what I am doing.
And I can not claim I know enough to tinker with the kernel.@james thanks for your prompt response and sharing the references.
I have go through the documentations that you point out above. It's looking great as Cloudron has already setup a very robust security measure. And yes, it gives much more clarity now!
As per my understanding, the point 1 and 2 is recommended by the documentations and point 3 is pretty much done by Cloudron by internally setting up the IP table in the Cloud Firewall section. If you can confirm my understanding is correct?
I also appreciate for your openness in sharing your thoughts, just in case, I want to clarify regarding more damage and perhaps even create security risks mentioned below?
@james said in VPS Security Hardening:If you have to ask such a question, you will do more damage and perhaps even create security risks.
Was it pointing to because it's been done by Cloudron as in Cloud Firewall section, so we don't need to mess around with it or do you any other concern?
Thanks for your help.
-
@james thanks for your prompt response and sharing the references.
I have go through the documentations that you point out above. It's looking great as Cloudron has already setup a very robust security measure. And yes, it gives much more clarity now!
As per my understanding, the point 1 and 2 is recommended by the documentations and point 3 is pretty much done by Cloudron by internally setting up the IP table in the Cloud Firewall section. If you can confirm my understanding is correct?
I also appreciate for your openness in sharing your thoughts, just in case, I want to clarify regarding more damage and perhaps even create security risks mentioned below?
@james said in VPS Security Hardening:If you have to ask such a question, you will do more damage and perhaps even create security risks.
Was it pointing to because it's been done by Cloudron as in Cloud Firewall section, so we don't need to mess around with it or do you any other concern?
Thanks for your help.
Hello @leemuljadi
@leemuljadi said in VPS Security Hardening:
As per my understanding, the point 1 and 2 is recommended by the documentations and point 3 is pretty much done by Cloudron by internally setting up the IP table in the Cloud Firewall section. If you can confirm my understanding is correct?
Yes, you are correct with your understanding.
@leemuljadi said in VPS Security Hardening:
Was it pointing to because it's been done by Cloudron as in Cloud Firewall section, so we don't need to mess around with it or do you any other concern?
Since you asked the following -
I.e. does http and https need to be open as well?If you are missing the networking knowledge that web services need
HTTPandHTTPSto function at all, tinkering with the firewall without extended knowledge about networking will cause problems/damage.
If you'd follow up on that and block80/HTTPand443/HTTPSin your firewall, you would not be able to access your Cloudron anymore in the browser.So my concern is the following:
Tinkering with important functional parts like security or networking, without the needed knowledge, you might cause problems that you'll be unable to resolve again.
I take this approach with a car as well.
I can change the wiper fluid, but do I truly understand enough to change the brake line fluid, such a critical part that makes me stop the car?But you only learn from research and trying.
I still fully encourage you do go ahead and research what parts of security you'd like to improve and try it.
But do not do it on your "production" system that you are using.
Create a small cheap VPS with Cloudron and you can tinker with that instance as much as you like without risking any problems with your "production" system.
Once you are comfortable with what you did on the secondary, you could apply this to the "production" system.
Sticking with the car analogy.
Get a second cheap car that you can work on and understand the mechanics without the risk of having your brakes fail at a red light. -
J joseph has marked this topic as solved
-
@james make sense! thanks for your thorough explanations
