Question
Security Tips and Suggestion - Dokku - Node.js App
- Posted on January 25, 2017
- DokkuNode.jsSecurityUbuntu 16.04
Asked by psmod2
Hello,
I’ve recently moved from Heroku to a droplet running Dokku which runs my node.js web app.
I’d like to ask what security suggestions I should follow to minimise any risk of getting hacked.
As its a web app, I’m a little unsure as it needs to be accessible to the world - but how to I secure.
So far:
- Ive disabled root login.
- Created a new sudo account
- Disabled password logins/only ssh keys
- Unsure about firewall - what rules etc I should have?
Any help and advice would be appreciated.
Thanks!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Get our biweekly newsletter
Sign up for Infrastructure as a Newsletter.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Become a contributor
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
@psmod2
The first steps I normally perform are updating the packages and upgrading current packages to make sure everything that’s default is up to date.
Once that’s done, I’ll handle setting up a new user, add them to the sudo group, and test that the user is able to actually use
sudoto escalate and run commands that would otherwise requireroot.If all is well there, then I’ll setup firewall rules. Since you’re using Ubuntu, this is super easy. We can use
ufwand ultimately, we would setup a default policy to deny any connection that we don’t allow through with rules we’ll add afterwards.So, first we should make sure
ufwis not enabled.If it returns
enabled, runsudo ufw disable, otherwise well go ahead and setup our default deny.Now, to setup our rules, we need to figure out what ports we need open for public access. We need at least SSH, HTTP, and HTTPS.
We’re using
/tcpto define the connection type. This means that we only want to allow connections on these ports using TCP (not UDP).Beyond SSH, HTTP, and HTTPS, you would also need to add any rules to cope with connections on other public ports. So, for example, if you needed remote database access to MySQL, you’d have to open that port up as it’d be blocked with just the above rules in place.
Once all rules are set, we then need to enable the firewall.
It’ll ask you if you really want to enable and that enabling may cause your current connection to drop. Type
yand hit enter. As long as SSH has been setup (as shown above), the connection won’t drop.Beyond a Firewall, there’s also
fail2ban, which is useful. Setting it up requires a little more, though it’s definitely something to consider.I would also make sure directory and file permissions are properly setup – that is, files should have a
chmodof644and directories755. Also, proper ownership of files and directories should be set as you don’t want public files being served by therootuser. I even tend to go a step further and only serve files and directories from a non-root, non-sudo user. Just a basic, unprivileged, non-shell user that can’t do anything other than own files and directories.