From 5bf8b75a11f740524a04edd297f6e3a8850fed77 Mon Sep 17 00:00:00 2001 From: prashantkamdar Date: Sun, 15 Aug 2021 21:15:23 +0530 Subject: [PATCH 1/8] security steps in the readme --- README.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/README.md b/README.md index bf0e5641..dc37c9dc 100644 --- a/README.md +++ b/README.md @@ -502,6 +502,36 @@ sudo systemctl reload nginx At this step, you should also setup the SSL for Nginx. [Certbot](https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx) can be a good option if you want a free SSL certificate. +### Optional, but recommended security steps + +If you have followed the steps above, there will be 3 ports exposed over the internet: 7777 (sl-app), 20381 (sl-email) & 5432 (postgresql). + +You can verify the ports are open by running the following command from a different machine + +```bash +sudo nmap -sS 107.172.193.177 -p 7777,20381,5432 +``` + +It is important to secure the Postgres port. + +Using `ufw` didn't help because docker writes persisten rules to the `iptables`. + +To get around this, first run this command to allow only localhost connections to the docker containers: + +```bash +iptables -I DOCKER-USER -i eth0 ! -s 127.0.0.1 -j DROP +``` + +Next, to make the changes persistent across reboots, we are going to use `iptables-persistent` package. + +```bash +sudo apt install iptables-persistent +sudo service netfilter-persistent save +``` + +Reboot your machine and run the above `nmap` command one more time to verify the said ports are not in closed/filtered state. + + ### Enjoy! If all the above steps are successful, open http://app.mydomain.com/ and create your first account! From bf39b924dd4505d7158f082f9d6e60243b72a0eb Mon Sep 17 00:00:00 2001 From: prashantkamdar Date: Sun, 15 Aug 2021 21:17:54 +0530 Subject: [PATCH 2/8] security steps in the readme --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dc37c9dc..6912235e 100644 --- a/README.md +++ b/README.md @@ -514,7 +514,7 @@ sudo nmap -sS 107.172.193.177 -p 7777,20381,5432 It is important to secure the Postgres port. -Using `ufw` didn't help because docker writes persisten rules to the `iptables`. +Using `ufw` doesn't help because docker writes persisten rules to the `iptables`. To get around this, first run this command to allow only localhost connections to the docker containers: @@ -522,6 +522,8 @@ To get around this, first run this command to allow only localhost connections t iptables -I DOCKER-USER -i eth0 ! -s 127.0.0.1 -j DROP ``` +Docker documentation reference for more info: [documentation](https://docs.docker.com/network/iptables/#restrict-connections-to-the-docker-host) + Next, to make the changes persistent across reboots, we are going to use `iptables-persistent` package. ```bash From e22af08e0b562898d8c37e76b22cbc75cf6c701b Mon Sep 17 00:00:00 2001 From: prashantkamdar Date: Sun, 15 Aug 2021 21:19:55 +0530 Subject: [PATCH 3/8] security steps in the readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6912235e..bf93faba 100644 --- a/README.md +++ b/README.md @@ -509,7 +509,7 @@ If you have followed the steps above, there will be 3 ports exposed over the int You can verify the ports are open by running the following command from a different machine ```bash -sudo nmap -sS 107.172.193.177 -p 7777,20381,5432 +sudo nmap -sS -p 7777,20381,5432 ``` It is important to secure the Postgres port. From 173b509706e15ec0a2a4ab97d635e6c25bff96a1 Mon Sep 17 00:00:00 2001 From: prashantkamdar Date: Sun, 15 Aug 2021 21:26:38 +0530 Subject: [PATCH 4/8] security steps in the readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bf93faba..18e9c248 100644 --- a/README.md +++ b/README.md @@ -506,7 +506,7 @@ At this step, you should also setup the SSL for Nginx. If you have followed the steps above, there will be 3 ports exposed over the internet: 7777 (sl-app), 20381 (sl-email) & 5432 (postgresql). -You can verify the ports are open by running the following command from a different machine +You can verify the ports are open by running the following command from a different machine. ```bash sudo nmap -sS -p 7777,20381,5432 @@ -522,7 +522,7 @@ To get around this, first run this command to allow only localhost connections t iptables -I DOCKER-USER -i eth0 ! -s 127.0.0.1 -j DROP ``` -Docker documentation reference for more info: [documentation](https://docs.docker.com/network/iptables/#restrict-connections-to-the-docker-host) +Docker documentation reference for more info: [documentation](https://docs.docker.com/network/iptables/#restrict-connections-to-the-docker-host). Next, to make the changes persistent across reboots, we are going to use `iptables-persistent` package. From 1e2d6823516af9b0897a472a3c3be5a4c6ccc809 Mon Sep 17 00:00:00 2001 From: prashantkamdar Date: Sun, 15 Aug 2021 21:35:54 +0530 Subject: [PATCH 5/8] typo fix --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 18e9c248..94298775 100644 --- a/README.md +++ b/README.md @@ -514,7 +514,7 @@ sudo nmap -sS -p 7777,20381,5432 It is important to secure the Postgres port. -Using `ufw` doesn't help because docker writes persisten rules to the `iptables`. +Using `ufw` doesn't help because docker writes persistent rules to the `iptables`. To get around this, first run this command to allow only localhost connections to the docker containers: From 8356a9627dc5eb6bdd65ed56040cd96f2c044e1c Mon Sep 17 00:00:00 2001 From: prashantkamdar Date: Thu, 30 Sep 2021 22:36:30 +0530 Subject: [PATCH 6/8] updating the readme and upgrade docs to bind to localhost --- README.md | 37 +++---------------------------------- docs/upgrade.md | 4 ++-- 2 files changed, 5 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index dcb145f6..d00aedcf 100644 --- a/README.md +++ b/README.md @@ -237,7 +237,7 @@ docker run -d \ -e POSTGRES_PASSWORD=mypassword \ -e POSTGRES_USER=myuser \ -e POSTGRES_DB=simplelogin \ - -p 5432:5432 \ + -p 127.0.0.1:5432:5432 \ -v $(pwd)/sl/db:/var/lib/postgresql/data \ --restart always \ --network="sl-network" \ @@ -451,7 +451,7 @@ docker run -d \ -v $(pwd)/simplelogin.env:/code/.env \ -v $(pwd)/dkim.key:/dkim.key \ -v $(pwd)/dkim.pub.key:/dkim.pub.key \ - -p 7777:7777 \ + -p 127.0.0.1:7777:7777 \ --restart always \ --network="sl-network" \ simplelogin/app:3.4.0 @@ -467,7 +467,7 @@ docker run -d \ -v $(pwd)/simplelogin.env:/code/.env \ -v $(pwd)/dkim.key:/dkim.key \ -v $(pwd)/dkim.pub.key:/dkim.pub.key \ - -p 20381:20381 \ + -p 127.0.0.1:20381:20381 \ --restart always \ --network="sl-network" \ simplelogin/app:3.4.0 python email_handler.py @@ -502,37 +502,6 @@ sudo systemctl reload nginx At this step, you should also setup the SSL for Nginx. [Certbot](https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx) can be a good option if you want a free SSL certificate. -### Optional, but recommended security steps - -If you have followed the steps above, there will be 3 ports exposed over the internet: 7777 (sl-app), 20381 (sl-email) & 5432 (postgresql). - -You can verify the ports are open by running the following command from a different machine. - -```bash -sudo nmap -sS -p 7777,20381,5432 -``` - -It is important to secure the Postgres port. - -Using `ufw` doesn't help because docker writes persistent rules to the `iptables`. - -To get around this, first run this command to allow only localhost connections to the docker containers: - -```bash -iptables -I DOCKER-USER -i eth0 ! -s 127.0.0.1 -j DROP -``` - -Docker documentation reference for more info: [documentation](https://docs.docker.com/network/iptables/#restrict-connections-to-the-docker-host). - -Next, to make the changes persistent across reboots, we are going to use `iptables-persistent` package. - -```bash -sudo apt install iptables-persistent -sudo service netfilter-persistent save -``` - -Reboot your machine and run the above `nmap` command one more time to verify the said ports are not in closed/filtered state. - ### Enjoy! diff --git a/docs/upgrade.md b/docs/upgrade.md index 2f6547b3..7917c447 100644 --- a/docs/upgrade.md +++ b/docs/upgrade.md @@ -164,7 +164,7 @@ sudo docker run -d \ -v $(pwd)/simplelogin.env:/code/.env \ -v $(pwd)/dkim.key:/dkim.key \ -v $(pwd)/dkim.pub.key:/dkim.pub.key \ - -p 7777:7777 \ + -p 127.0.0.1:7777:7777 \ --restart always \ --network="sl-network" \ simplelogin/app:3.4.0 @@ -177,7 +177,7 @@ sudo docker run -d \ -v $(pwd)/simplelogin.env:/code/.env \ -v $(pwd)/dkim.key:/dkim.key \ -v $(pwd)/dkim.pub.key:/dkim.pub.key \ - -p 20381:20381 \ + -p 127.0.0.1:20381:20381 \ --restart always \ --network="sl-network" \ simplelogin/app:3.4.0 python email_handler.py From 202fadcfc8f19b2ec97a65d634e9605abf520f94 Mon Sep 17 00:00:00 2001 From: prashantkamdar Date: Thu, 30 Sep 2021 22:37:44 +0530 Subject: [PATCH 7/8] removing extra space --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index d00aedcf..7d0c6d99 100644 --- a/README.md +++ b/README.md @@ -502,7 +502,6 @@ sudo systemctl reload nginx At this step, you should also setup the SSL for Nginx. [Certbot](https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx) can be a good option if you want a free SSL certificate. - ### Enjoy! If all the above steps are successful, open http://app.mydomain.com/ and create your first account! From fbf1ca3395b1ee48f464db3f07d9fbdc17c0fc97 Mon Sep 17 00:00:00 2001 From: prashantkamdar Date: Fri, 1 Oct 2021 21:38:07 +0530 Subject: [PATCH 8/8] hiding the postgres port during upgrade --- docs/upgrade.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/docs/upgrade.md b/docs/upgrade.md index 7917c447..904250d7 100644 --- a/docs/upgrade.md +++ b/docs/upgrade.md @@ -126,14 +126,26 @@ for user in User.query.all(): sudo docker pull simplelogin/app:3.4.0 # Stop SimpleLogin containers -sudo docker stop sl-email sl-migration sl-app +sudo docker stop sl-email sl-migration sl-app sl-db # Make sure to remove these containers to avoid conflict -sudo docker rm -f sl-email sl-migration sl-app +sudo docker rm -f sl-email sl-migration sl-app sl-db # create ./sl/upload/ if not exist mkdir -p ./sl/upload/ +# Run the database container. Make sure to replace `myuser` and `mypassword` +docker run -d \ + --name sl-db \ + -e POSTGRES_PASSWORD=mypassword \ + -e POSTGRES_USER=myuser \ + -e POSTGRES_DB=simplelogin \ + -p 127.0.0.1:5432:5432 \ + -v $(pwd)/sl/db:/var/lib/postgresql/data \ + --restart always \ + --network="sl-network" \ + postgres:12.1 + # Run the database migration sudo docker run --rm \ --name sl-migration \