Setting up a VPS for website hosting - Part 4

UFW, Fail2Ban, and Certbot

The next steps are the easiest! These are for security purposes. UFW is our firewall, Fail2Ban helps with ssh login rejection, and Cerbot is one way to generate a web certificate so that our website is HTTPS compliant.

UFW

So UFW is a firewall that stands for Uncomplicated FireWall. It blocks all incoming/outgoing data to our server except the ones we want. The ones we want are ssh and https. ssh lets you log in, and https lets people access the page. To install it, run: 

sudo apt install ufw
To set it up and configure it, run: 

sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw allow https
sudo systemctl start ufw

And that's it! In summary, it disables all incoming connections except ssh and https, and allows all outgoing connections so that anyone on the web can access the website.

Fail2Ban

Kudos to Linode for introducing me to fail2ban. It's a simple, lightweight service that blocks people's IP after too many incorrect login attempts. If a certain IP address has too many incorrect attempts, then that IP address is blacklisted on the firewall. Before you worry about entering your password wrong too many times, this is the exact reason why I have instructions on removing your password and solely using ssh logins. Also, it typically only locks IP addresses out for a few minutes, which is enough to protect against attacks.

All you need to do is install it with 

sudo apt install fail2ban
Then it will automatically start.

Certbot

Websites typically have certificiates indicating that they are secure. You will see this on web browsers for instance with a green lock next to the URL. Many browsers nowadays will also prevent access to insecure websites. Certbot got a lot easier to use in the past few years. It used to be called letsencrypt, and that name is still referenced in some code. To install it and set it up, run 


apt install software-properties-common
add-apt-repository universe
apt install -y certbot python3-certbot-apache
sudo certbot --apache
You will be prompted for example for your email, your website name, and if you want to force HTTPS. I chose to force my website to HTTPS.

Entering your email is also very important. Back in summer 2019, there was a massive security flaw with ACME TLS-SNI-01 and Certbot had to stop support for it. I was sent emails telling me that I needed to re-create my certificate in order to stay certified and authenticated.