We have created a poll on Twitter about Firewall configuration : https://twitter.com/WordOps_/status/1161948085368557568
The question is : Should WordOps configure the firewall during installation ?
Additional information : By "configure the firewall", we mean setting up UFW and to set the minimal configuration for WordOps. Example available here :https://git.io/fjdsm
Share your thoughs !
No thanks, or option to not do this when installing. Settings will always need tweaking there is no point
I restrict direct access to the webserver from all IPs except Cloudflare. I understand this is not for everyone as all sites on the server would be required to use the Cloudflare proxy, but it does offer more security.
It's part of my EE/WO backup scripts here: https://github.com/microram/ee4-tools/blob/master/common/cloudflare-ufw
mram I think it is a good practice, for the ones who can implement it.
i don't have a twitter account, but my vote is for UFW configuration to be optional rather than the default.
although configuring UFW is obviously an important security step (all my servers have UFW configured by an ansible setup playbook that i run immediately after spinning them up), setting up UFW correctly is context dependent and if it isn't done according to the services that a particular box is offering, it can break things that were working. I think anything that can break things that were previously working should be opt-in rather than opt-out.
Hello pjv,
by setting automatically the minimal rules for WordOps with UFW, we make sure there are no servers running WordOps without a firewall. In my opinion, every server with a public IP should be configured with a firewall, but the most part of people will not configure it themself, so it's seems smarter to me to perform this configuration by default, and to allow advanced users to skip this step.
Here the UFW configuration function :
# get custom ssh port
if [ -f /etc/ssh/sshd_config ]; then
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
fi
# define firewall rules
if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then
ufw logging low
fi
if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then
ufw default allow outgoing
fi
if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then
ufw default deny incoming
fi
if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then
# default ssh port
ufw limit 22
fi
# custom ssh port
if [ "$CURRENT_SSH_PORT" != "22" ]; then
if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then
ufw limit "$CURRENT_SSH_PORT"
fi
fi
# nginx
if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then
# http
ufw allow http
fi
if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then
# https
ufw allow https
fi
# ntp
if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then
ufw allow 123
fi
if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then
# wordops backend
ufw limit 22222
fi
# enable ufw
if [ -n "$CURRENT_SSH_PORT" ]; then
if ! grep -q "ENABLED=yes" /etc/ufw/ufw.conf; then
ufw --force enable
else
ufw reload
fi
fi
# remove ufw from syslog
if [ -f /etc/rsyslog.d/20-ufw.conf ]; then
sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf
service rsyslog restart
fiHosted by VirtuBox