Let’s say you are ready for production. Now you want to host your services on the cloud. Are you production ready? I am going to give a step by step guide of how to beaf up your production server to prevent various attacks and make sure your server is safe. Let’s start shall we. I am going to use linode. Since this is a small scale production server. I am going to set up a shared vps. I will use the 2GB linode for now.
Make sure to set a very strong password then set up ssh. To set up the ssh key. On your local machine, then generate the keys if you don’t have. I decided to go with ed25519 formart
ssh-keygen -t ed25519
cat ~/.ssh/id_ed25519.pub
Once created. You’ll need to add the .pub into your ssh section in linode when creating it. You can choose to add a back…
Let’s say you are ready for production. Now you want to host your services on the cloud. Are you production ready? I am going to give a step by step guide of how to beaf up your production server to prevent various attacks and make sure your server is safe. Let’s start shall we. I am going to use linode. Since this is a small scale production server. I am going to set up a shared vps. I will use the 2GB linode for now.
Make sure to set a very strong password then set up ssh. To set up the ssh key. On your local machine, then generate the keys if you don’t have. I decided to go with ed25519 formart
ssh-keygen -t ed25519
cat ~/.ssh/id_ed25519.pub
Once created. You’ll need to add the .pub into your ssh section in linode when creating it. You can choose to add a back up option but that will cost more. Wait for 1 to 2 minutes then log in to your server.Now Do the initial system setup that is the apt updrade and upgrade then reboot. Now your server is ready for beafing. Now le’s create a non-root user then log in with the new credentials.
adduser deploy
usermod -aG sudo deploy
Now let’s Secure our SSH to only allow use of public key:
vi /etc/ssh/sshd_config
change the configurations to:
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
X11Forwarding no
UsePAM no
Also allow AuthorizedKeysFile .ssh/authorized_keys
Add the key to the new user you created
mkdir -p /home/deploy/.ssh
vi /home/deploy/.ssh/authorized_keys
Fix permission issues:
chown -R deploy:deploy /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
chmod 600 /home/deploy/.ssh/authorized_keys
Then restart SSH;
systemctl restart ssh
Open another terminal and test first without closing the initial one.
Now lets set up Firewall (UFW)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable
Since we need a webserver, let’s install nginx:
sudo apt install nginx -y
sudo systemctl enable nginx
sudo systemctl start nginx
Test your webserver on the browser:
http://SERVER_IP
Perfect, now our webserver is running.
Adding your domain to cloudfalere Now that your server is up and running. Let’s add our domain to cloudflare. I am going to use the free tier. Log in to cloudflare, navigate to domains then add your new domain.
When you click continue, it is going to scan for any DNS records set up. In my case, I have my records set up on linode. If you had any records, cloudflare will import them. On your domain provider, in this instance where I am using godaddy, I am required to remove the NS records I set for linode and replace with the ones provided for you by cloudflare.
Now let’s create a cloudflare Origin Certificate.
Copy the Origin Certificate and Private key. Install the certificate on the server:
sudo mkdir /etc/ssl/cloudflare
sudo vi /etc/ssl/cloudflare/origin.pem
sudo vi /etc/ssl/cloudflare/origin.key
Set Permissions:
sudo chmod 600 /etc/ssl/cloudflare/origin.key
Now let’s configure Nginx with SSL:
sudo vi /etc/nginx/sites-available/example.com
Add the following configurations and update accordingly:
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/cloudflare/origin.pem;
ssl_certificate_key /etc/ssl/cloudflare/origin.key;
ssl_protocols TLSv1.2 TLSv1.3;
root /var/www/example.com;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}
Now let’s enable our site:
sudo mkdir /var/www/example.com
sudo chown -R deploy:deploy /var/www/example.com
sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
Once that is done, let;s fix real client IP for cloudflare. This is to configure web server to see the actual visitors and not cloudflare’s proxy IPs.
Enter the nginx config and add the following:
sudo vi /etc/nginx/nginx.conf
# Use Cloudflare real IP
real_ip_header CF-Connecting-IP;
# Trust Cloudflare IP ranges
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
real_ip_recursive on;
Then restart nginx. You can enable more features on cloudflare dashboard according to your preference.
Now that our server is under a CDN. Let’s set up go and react since this is what I use. First install the necessary packages.