The SSH rule added after at 25:32 doesnt make sense to me - the inbound rule here allows SSH connections from source IP's in the VPC range, but to what? What machine(s) are now limited to inbound connections from our VPC? I dont see how this links to droplets in the VPC? Its like we should apply this rule to the VPC, but we dont. As an example - if you wanted to only allow a specific IP to SSH into anything inside the VPC (for example, only allow SSHing into your VPC servers from your static business IP address), I dont see how adding the value at 25:32 appends this rule to the VPC. All this rule does is allow SSH connections from a source - it doesnt apply it to any machine or network though?
So the SSH rule here is applying to the entire CIDR block within the VPC. It's set to 192.168.92.0/24. This rule effectively lets servers within the VPC talk with each other while effectively blocking any outside traffic. If you're running a cluster of servers with a load balancer you probably want to limit ingress to the servers to only a specific device. Since the load balancer is also in the VPC it has a private IP and therefore is allowed to direct traffic to the servers.
Hey @masonegger and @digitalocean guys :) Thanks for these talks! This week there was Securing Your Deploy webinar where the presenter was talking about levels to approach security in order to implement a plan from the MVP level to full scalability. I found that approach very useful in defining priorities mapped to product maturity. It would be nice to have this red line run through other talks too (Level1, 2 and 3). Would love to learn more about password/secret management from the idea-MVP-barely-working-we-only-have-one-server level to a fully setup scalable, rotated keys in vault level solution. Great job on the content in video, tutorials, community building. Thank you once again.
Paid certificates tend to require more validation around your identity whereas certbot certs are just freely given. If you're a large corporation who cares about being truly validated by a certificate authority then this might be worth it to you. If you're doing personal projects or running a small business you're probably not to concerned with it.
Hey, Thanks for video, I learned many new things!! Can you please let me know, how to prevent files access? I have setup digital ocean server and point a domain name to it. It works good with domain name. But when I try with ip along with folder path, all files directly accessible (along with .env file). How can I enhance my server security to reduce these kind of risk?
Great video, I have one quesiton tho. Are these firewall setups enough? Would we need something else regarding firewall?
The SSH rule added after at 25:32 doesnt make sense to me - the inbound rule here allows SSH connections from source IP's in the VPC range, but to what? What machine(s) are now limited to inbound connections from our VPC? I dont see how this links to droplets in the VPC? Its like we should apply this rule to the VPC, but we dont.
As an example - if you wanted to only allow a specific IP to SSH into anything inside the VPC (for example, only allow SSHing into your VPC servers from your static business IP address), I dont see how adding the value at 25:32 appends this rule to the VPC. All this rule does is allow SSH connections from a source - it doesnt apply it to any machine or network though?
So the SSH rule here is applying to the entire CIDR block within the VPC. It's set to 192.168.92.0/24. This rule effectively lets servers within the VPC talk with each other while effectively blocking any outside traffic. If you're running a cluster of servers with a load balancer you probably want to limit ingress to the servers to only a specific device. Since the load balancer is also in the VPC it has a private IP and therefore is allowed to direct traffic to the servers.
@@masonegger6503 thanks
Hey @masonegger and @digitalocean guys :) Thanks for these talks! This week there was Securing Your Deploy webinar where the presenter was talking about levels to approach security in order to implement a plan from the MVP level to full scalability. I found that approach very useful in defining priorities mapped to product maturity. It would be nice to have this red line run through other talks too (Level1, 2 and 3). Would love to learn more about password/secret management from the idea-MVP-barely-working-we-only-have-one-server level to a fully setup scalable, rotated keys in vault level solution.
Great job on the content in video, tutorials, community building. Thank you once again.
question about SSL, what is the difference between certbot and "paid" certificates from godaddy?
Paid certificates tend to require more validation around your identity whereas certbot certs are just freely given. If you're a large corporation who cares about being truly validated by a certificate authority then this might be worth it to you. If you're doing personal projects or running a small business you're probably not to concerned with it.
It was a great and very helpful talk! @masonegger, could you share which are the good practices for outbound firewall rules? Thanks!
Hey, Thanks for video, I learned many new things!!
Can you please let me know, how to prevent files access? I have setup digital ocean server and point a domain name to it. It works good with domain name. But when I try with ip along with folder path, all files directly accessible (along with .env file). How can I enhance my server security to reduce these kind of risk?
Thanks! very helpful.
ssds