Moss sets up all your Linux servers following industry's best practices.

Firewall

All servers managed by Moss are behind a firewall that he configures. Depending on your subscription and the cloud providers you use, Moss will set up the provider's native firewall or equivalent iptables rules on each server.

iptables-based firewall

Moss blocks all incoming traffic towards your server but the strictly needed for managing and running the services it hosts. In the following you can find the traffic allowed:

  • SSH (tcp/22) from any IP address
  • HTTP (tcp/80) from any IP address
  • HTTPS (tcp/443) from any IP address
  • Server metrics (tcp/9100) from any IP address
  • ICMP (v4/v6) from any IP address
  • Local traffic (e.g. to allow your web application to connect to the database hosted on the same server via localhost)

provider firewall

Some cloud providers feature firewall capabilities that simplify management of complex multi-server applications. Moss hides the internal details from you and provides a secure configuration well-suited for your use case. In the following you can find the traffic allowed:

  • SSH (tcp/22) from any IP address
  • HTTP (tcp/80) from any IP address
  • HTTPS (tcp/443) from any IP address
  • Server metrics (tcp/9100) from any IP address
  • MySQL (tcp/3306) from web servers of the same workspace
  • Redis (tcp/6379) from web servers of the same workspace
  • Memcached (tcp/11211, udp/11211) from web servers of the same workspace
  • Beanstalk (tcp/11300) from web servers of the same workspace
  • Local traffic (via localhost)

The former implies that the internal services your applications use (databases, caches, queues, etc) are not exposed to external networks. In the same way, the applications of one workspace cannot connect with the internal services of other workspaces, thus protecting the different environments of your own organization.

SSH

Moss configures your server so that you can always log into it via SSH or upload content onto it by means of SFTP. Moss doesn't deploy the FTP service because of its lack of security, but you may use SFTP instead.

In order to prevent non-authorized accesses into the server, Moss implements the following additional configurations for SSH:

  • Disables remote access as user root.
  • Disables user/password authentication, forcing public key authentication instead. In this way Moss secures your server against brute-force attacks based on password dictionaries.

Users

Moss automatically creates a user on your server.

  • moss: privileged user that's allowed to run commands as root via sudo. The admin of the Moss account is the only one that can log into the server as user moss (unless he/she shares his/her private SSH key, of course).

From Moss you can create additional non-privileged users. You usually employ such users to run their own website - you can isolate different websites on a same server in this way.

Both the admin and the teammates invited to the Moss account may log in the server as a non-privileged user (just upload your public SSH key onto such user via Moss). In this way the developers of a team can do their job without messing with the system configuration, since they won't have permission to make privileged changes.

Automatic security updates

Moss sets up unattended security updates on all servers he manages. This is the most convenient way to apply the latest patches for known vulnerabilities on your servers. After each update, Moss will send you a notification by email or the Slack channel of your choice to inform you about the changes that have taken place.

Moss only applies security updates automatically. Such updates come from official Ubuntu repositories and, in exceptional cases, from well maintained and supported PPAs.

Attack surface

Contrary to other products, Moss only installs the software that each server really needs. In this way, Moss minimizes the attack surface thus reducing the likelihood of compromising your server.

E.g. Moss won't install Apache, Nginx or any other service which isn't being used on a database server if that's the only purpose of such machine. Hence, no web server vulnerability can be exploited to attack the database server.

Another example: if a web server only hosts static websites, Moss won't install the php-fpm daemon. The software required for a PHP website will be installed as you create one on the server.

HTTPS

Moss sets up your websites to be served using the HTTPS secure protocol in a really simple way. You just have to choose one of these two options when creating your site:

  • Provide your own TLS certificate. If you already own a valid certificate for your website, you just have to provide Moss with such certificate and the associated private key. Moss will configure your website to use this certificate.
  • Choose the automatic certificate option for Let's Encrypt. Moss will issue and renew free Let's Encrypt certificates for your websites automatically.

Moss configures your website to redirect users that use HTTP towards HTTPS, thus preferring the secure version of the protocol.

Contact

If you find any security issue or have any doubt about how Moss manages the security of your servers, don't hesitate to contact us through our support chat 😄

Did this answer your question?