Secure new server

Hi,

I’m thinking in migrate my servers from EE V3 under Ubuntu 14.04 to EE V4 under Ubuntu 18 but have some questions about security.

  • Is it recommended to install/configure applications such as UFW, fail2ban, Monit, etc.? Is it work on Docker?

Also interested on this. I do not have any experience with Docker and on every new server I make some initial security configurations as described at: https://www.codelitt.com/blog/my-first-10-minutes-on-a-server-primer-for-securing-ubuntu/

Should I keep on doing that? Or with Docker I must make things different?

Thanks

@Danielote @mikeslv I’m not an expert in security, but as far as I think it’s fine to install UFW, Monit etc… However, I’m not sure about fail2ban. Even if it will work, it might need some extra configuration to work with nginx-proxy.

I think it could work without nginx=proxy for ssh etc… Maybe @mriyam.tamuli can help more here.

And what about Ubuntu/Debian automatic security updates? Can we enable them without causing issues with Easuengine Docker?

Really we need help with this topic, security is important before migrate to ee v4…

I have this enabled: https://linux-audit.com/livepatch-linux-kernel-updates-without-rebooting/

I found this
https://www.the-lazy-dev.com/en/install-fail2ban-with-docker/

Is it fine for dockers containers in eev4?

Any change in this line?
logpath = /var/lib/docker/containers//-json.log

As far as I understand, docker runs under the main os, which is Ubuntu or Debian. Therefore, you can install whatever firewall you want in Ubuntu/Debian, which will control all ports, not just the one Docker is using. Basically you need http/s ports + admin tools port and that is it.
If you want other types of security, then the easiest method is to use app level firewall. That way you don’t have to go too much into nginx security. Oh yes, using ssh keys is way better than passwords.