Securing Your Droplet

Поділитися
Вставка
  • Опубліковано 24 гру 2024

КОМЕНТАРІ •

  • @kaloyangeorgiev6824
    @kaloyangeorgiev6824 9 місяців тому

    Great video, I have one quesiton tho. Are these firewall setups enough? Would we need something else regarding firewall?

  • @CardinalHijack
    @CardinalHijack 3 роки тому

    The SSH rule added after at 25:32 doesnt make sense to me - the inbound rule here allows SSH connections from source IP's in the VPC range, but to what? What machine(s) are now limited to inbound connections from our VPC? I dont see how this links to droplets in the VPC? Its like we should apply this rule to the VPC, but we dont.
    As an example - if you wanted to only allow a specific IP to SSH into anything inside the VPC (for example, only allow SSHing into your VPC servers from your static business IP address), I dont see how adding the value at 25:32 appends this rule to the VPC. All this rule does is allow SSH connections from a source - it doesnt apply it to any machine or network though?

    • @masonegger6503
      @masonegger6503 3 роки тому +2

      So the SSH rule here is applying to the entire CIDR block within the VPC. It's set to 192.168.92.0/24. This rule effectively lets servers within the VPC talk with each other while effectively blocking any outside traffic. If you're running a cluster of servers with a load balancer you probably want to limit ingress to the servers to only a specific device. Since the load balancer is also in the VPC it has a private IP and therefore is allowed to direct traffic to the servers.

    • @CardinalHijack
      @CardinalHijack 3 роки тому

      @@masonegger6503 thanks

  • @timeakiss_
    @timeakiss_ 4 роки тому

    Hey @masonegger and @digitalocean guys :) Thanks for these talks! This week there was Securing Your Deploy webinar where the presenter was talking about levels to approach security in order to implement a plan from the MVP level to full scalability. I found that approach very useful in defining priorities mapped to product maturity. It would be nice to have this red line run through other talks too (Level1, 2 and 3). Would love to learn more about password/secret management from the idea-MVP-barely-working-we-only-have-one-server level to a fully setup scalable, rotated keys in vault level solution.
    Great job on the content in video, tutorials, community building. Thank you once again.

  • @icalculi
    @icalculi 3 роки тому +1

    question about SSL, what is the difference between certbot and "paid" certificates from godaddy?

    • @masonegger6503
      @masonegger6503 3 роки тому +1

      Paid certificates tend to require more validation around your identity whereas certbot certs are just freely given. If you're a large corporation who cares about being truly validated by a certificate authority then this might be worth it to you. If you're doing personal projects or running a small business you're probably not to concerned with it.

  • @stefanvadev1908
    @stefanvadev1908 2 роки тому

    It was a great and very helpful talk! @masonegger, could you share which are the good practices for outbound firewall rules? Thanks!

  • @AkashSharma-id4pv
    @AkashSharma-id4pv 2 роки тому

    Hey, Thanks for video, I learned many new things!!
    Can you please let me know, how to prevent files access? I have setup digital ocean server and point a domain name to it. It works good with domain name. But when I try with ip along with folder path, all files directly accessible (along with .env file). How can I enhance my server security to reduce these kind of risk?

  • @Shagadelic21nyc
    @Shagadelic21nyc 3 роки тому +1

    Thanks! very helpful.

  • @ዓዞቦታይ
    @ዓዞቦታይ 3 роки тому

    ssds