Hi,
I have 2 droplets, one containing my DB and one my app.
The DB droplet i have UFW installed allowing only the IP of the droplet of my app however when I ping the IP from my laptop it returns data.
Is this supposed to be - I would have expected it to not do that?
Only my app droplet should have access to that DB droplet - absolutely nothing else.
Thanks.
You'll need to edit /etc/ufw/before.rules and modify two lines -- in both cases, we're replacing ACCEPT with DROP.
#01
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
to
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
#02
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
to
-A ufw-before-forward -p icmp --icmp-type echo-request -j DROP
... and then run sudo ufw disable && sudo ufw enable.
You can also edit /etc/sysctl.conf and drop in:
net.ipv4.icmp_echo_ignore_all=1
... then run sudo sysctl -p to load the changes.
Once these changes have been made, you should see something similar to:
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Thanks - so as a security precaution is something commonly followed? (I only randomly thought about it).
Also - is there anything else I should also implement in addition to my UFW? Setting up fail2ban later today as well?