How to firewall and safeguard JeOS and WordPress

Short version

  • Use the AWS firewall.
  • Only open incoming port 443 and 22 to the Internet. Limit the IP address to the IP range of CloudFlare and your own IP.
  • Only open port 11211 and port 3306 in the local default network for in and outgoing traffic
  • Limit outgoing on 22 to your own IP
  • Open UDP port 123 to make the NTP client work to sync time
  • Use port 443 for e-mail with OAuth 2.0 and Google API
  • The package management tool apt-get needs outgoing port 80 to be open

 

In line with the concept of JeOS security is handled in the cloud and not on Ubuntu or in WordPress.

CloudFlare has some security features that will protect your server and WordPress well.

The firewall is available in your AWS control panel. Block any port and service not needed. Allow only the required IP addresses. Furthermore, CloudFlare provides some WordPress specific and general security features.

The only port that needs to be open on the server is 443 for web traffic and port 22 for your administration. All other ports should be closed.

Port 443 should only be open for the IP-range belonging to CloudFlare and perhaps the IP of your PC if you choose not to use VPN as described below.

When you are using VPN as described below, then connections to port 443 should only be allowed from the IP ranges belonging to CloudFlare.

Port 22 should only be open for the IP address belonging to the IP of your devices. Most of the time this would be only a single IP or a small IP-range.

Configuring firewall

Incoming and outgoing ports

AWS Default security group

Port 11211 for ElastiCahe – default security group

Port 3306 for Amazon – defult security group

IP addresses

Port 443 incoming from only CloudFlare.com IP-range

Port 443 outgoing for everything 0.0.0.0

Port 22 incoming and outgoing from only your office IP address.
When out of office log in to http://AWS.Amazon.com and add your current IP in the firewall. Delete the record when back in office.

Sending e-mail using port 443

The WordPress plugin Postman SMTP Mailer/Email Log uses OAuth 2.0 for sending mail using port 443. By using this plugin then there is no need for opening additional ports for outgoing traffic in the AWS firewall.

Blocking outgoing ports could be smart

If the bad guys should get control over your server. Sometimes they start servers and services. Then they hope for that the service can run undetected for a long time. By blocking all outgoing traffic except 22 and 443, using your server undetected would become more difficult.

Connect directly to the server and use stricter security rules inCloudFlare

You can bypass CloudFlare and connect directly to your servers WordPress admin panel. Bypassing CloudFlare enables you to use even stricter security policy rules at CloudFlare. A good practice is to connect to  WordPress directly on the IP using the hosts file. We have made a list with some useful tools to manage your hosts file easier and faster.

Alternatively, could you connect directly to the WordPress admin panel by using a VPN connection through SSH.

Use VPN access while out of office

SSH can acts as an excellent VPN server using SOCKS. When you need to access WordPress admin panel from some different IP then open port 22 for any IP. Access the server admin pages using VPN through the SOCKS proxy. SOCKS is a fast and easy to set up. It is also fast to enable and disable. VPN provides secure access to the WordPress admin panel without going through the security systems at CloudFlare. There is no software to install on the server. There is no software to install on your MAC or Windows. Another example of the JeOS concept.