Welcome to my personal blog! I use it to share what I'm currently learning or thinking about, usually on topics related to technology, business, and health.
First rule of server security: Zero access
For years, I've been deploying to servers I've personally managed. For some developers, especially with the rise of fully managed services, this seems impossible to do right. But I don't think that's true. I believe there's one rule to apply that will prevent 99.9% of problems down the road: locking the server fully. Indeed, most vulnerabilities are created by us messing up the configuration on our servers. But if the server is unavailable to the outside world, then you should be safe even if you mistakenly open things up.
Here's how to do it without hindering your work.
1. Lock the server at the level of your hosting provider
Commonly, we'll use firewall software such as ufw to restrict access to the server. Doing so hinges on us not messing up the configuration. I find it a lot safer to use the firewall of your hosting provider.
Here's the configuration I've been using for years on Hetzner. Basically, I have 0 rules allowing for inbound traffic.
From the Hetzner dashboard
2. Allowing yourself to access the server
Of course, you'll still need a way to access the server yourself. The approach I used initially was to whitelist my personal IP. This works perfectly fine but can be annoying if your IP changes often. It also doesn't scale well if you're working with a team.
Over the last couple of years, I've moved to using Tailscale, which is a sort of VPN service that creates a private network between all of your devices and servers. Its performance is great and it gives a lot of configuration options. They have a very decent free plan and the price for teams is very modest. There are open-source alternatives, but considering that this is about having a safe setup, I prefer not to deal with this myself.
3. Acting as if the server isn't firewalled
Just because your server is unavailable to the outside world doesn't mean you should open every door. Always require credentials. Act as if the server weren't behind a firewall. This small amount of paranoia will help you achieve two strong layers of safety.
And that's it! It's easy to set up, doesn't take any extra effort day-to-day, and you're safe in case you mistakenly open something on your server.
💬 Comments