Setting up a VPS for website hosting - Part 4
UFW, Fail2Ban, and Certbot
The next steps are the easiest! These are for security purposes. UFW is our firewall, Fail2Ban helps with ssh login rejection, and Cerbot is one way to generate a web certificate so that our website is HTTPS compliant.
So UFW is a firewall that stands for Uncomplicated FireWall. It blocks all incoming/outgoing data
to our server except the ones we want. The ones we want are ssh and https. ssh lets you log in, and https lets
people access the page. To install it, run:
To set it up and configure it, run:
sudo apt install ufw
sudo ufw default allow outgoing sudo ufw default deny incoming sudo ufw allow ssh sudo ufw allow https sudo systemctl start ufw
And that's it! In summary, it disables all incoming connections except ssh and https, and allows all outgoing connections so that anyone on the web can access the website.
Kudos to Linode for introducing me to fail2ban. It's a simple, lightweight service that blocks people's IP after too many incorrect login attempts. If a certain IP address has too many incorrect attempts, then that IP address is blacklisted on the firewall. Before you worry about entering your password wrong too many times, this is the exact reason why I have instructions on removing your password and solely using ssh logins. Also, it typically only locks IP addresses out for a few minutes, which is enough to protect against attacks.
All you need to do is install it with
Then it will automatically start.
sudo apt install fail2ban
Websites typically have certificiates indicating that they are secure. You will see this on web browsers for instance with a green lock next to the URL. Many browsers nowadays will also prevent access to insecure websites. Certbot got a lot easier to use in the past few years. It used to be called letsencrypt, and that name is still referenced in some code. To install it and set it up, run
You will be prompted for example for your email, your website name, and if you want to force HTTPS. I chose to force my website to HTTPS.
apt install software-properties-common add-apt-repository universe apt install -y certbot python3-certbot-apache sudo certbot --apache
Entering your email is also very important. Back in summer 2019, there was a massive security flaw with ACME TLS-SNI-01 and Certbot had to stop support for it. I was sent emails telling me that I needed to re-create my certificate in order to stay certified and authenticated.