A tool for developers to easily configure firewalls and gain access to their servers when using DigitalOcean cloud firewalls.
Droplets and cloud servers are often targeted by hackers. As long as you have been running a server with a publicly accessible SSH daemon, a MySQL database server or similar software, you've probably already have been targeted.
Hackers have gotten more sophisticated tools over the years, enforcing developers and system administrators to enforce stricter security policies. Running a firewall where you restrict access to only certain IP's is a solution to many of these issues, but can often be a hassle to manage and update - especially for developers who are on the fly and switching IP address every few hours.
The issue for probably many (speaking of personal experience) is that security is often compromised to enhance comfort (e.g. leaving a firewall open from all addresses).
DigitalOcean offers a Cloud Firewall that acts as a firewall outside your server, and can be fully configured using their API. This tool utilizes this API to automatically configure the cloud firewalls to accept connections from your current IP address (both IPv4 and IPv6). It will automatically remove old IP addresses from the firewall as well to improve security.
The goal of this tool is to encourage better security by making the process of managing firewalls and server access management a less of an inconvenience.
You can get started by cloning the repository or downloading it in ZIP-form.
Go to DO Firewalls. Create a firewall called allow-developer. You can also use other names, but then you have to specify the name either in ./config.json or as a argument option. See below for the argument options.
Add it to your tags or droplets. Make sure that there are at least 1 outbound rule and 1 that matches 127.0.0.1. (This is done because firewalls needs at least one active rule, and this tool would delete all entries causing an error).
It should look something like this:
Once you have created a firewall, assigned it to your tags and/or droplets and created the "base-rule" for 127.0.0.1, you're done on the server side.
NB: This firewall should only be used as a "developer firewall". Your droplets can have multiple firewalls assigned and this program is designed to utilize this design pattern. This program therefore deletes all rules that do not match the current IP-address(!).
-
Create
./config.auth.jsonfile with the following content:{ "bearer-token": "YOUR-DIGITALOCEAN-BEARER-TOKEN-HERE" } -
Configure
./config.jsonto reflect the rules your firewall should have. You can use port ranges as well as ports. See the DigitalOcean API for details. (Default are SSH, 22 and MySQL, 3306).
Run node app.js
or e.g:
Run node app.js --firewall-name="your-personal-firewall"
The program should now delete records in the firewall that do not match your current IPV4/IPV6 address (or 127.0.0.1) and create new ones for your current address.
Your output should look like this:
The following argument options can be used. Please note that argument options are case sensitive.
| Argument | Description | Default value |
|---|---|---|
--firewall-name |
Specifices which firewall should be used. This could be useful when multiple developers are working on the same server from different locations (ie. using one fw each). | Will fall back to firewall_name property in ./config.jsonIf no property is found default value will be allow-developer |
--IPv4 |
Specifies IPv4 address to be used. | Will automatically try to resolve using public-ip which uses DNS lookups (might not be suitable for all public networks such as airports). |
--IPv6 |
Specifies IPv4 address to be used. | Will automatically try to resolve using public-ip which uses DNS lookups (might not be suitable for all public networks such as airports). |
These arguments aren't required for the usage for the program itself, but are used to configure a whitelist of IP's that always will be kept on the firewall. This is useful if multiple developers are using the same firewall or e.g. you always want your home and office network connections to be whitelisted.
You can always make adjustments directly to the ./whitelist.json file as well (these options are simply an interface for the json-file).
| Argument | --ip flag |
--fw-name flag |
Description |
|---|---|---|---|
--wh-add |
Required | Optional | Adds an IP to the whitelist. If no fw-name is supplied the IP will be added to global whitelist. |
--wh-remove |
Required | Optional | Removes an IP from the whitelist. If no fw-name is supplied the IP will be removed from the global whitelist. |
--wh-clear |
No | Optional | If fw-name is specified, the supplied firewall whitelist will be cleared. If not, the entire whitelist will be cleared. |
--wh-list |
No | Optional | If fw-name is specified, the supplied firewall whitelist will be listed. If not, the entire whitelist will be listed. |
The file should be created automatically upon using any of the above arguments. If you wish to create or modify it manually, be sure to use the following format:
{
"global": [ip1, ip2, ...],
"firewalls": {
"fw1": [ip1, ip2, ...],
"fw2": [ip1, ip2, ...]
}
}
Default file:
{
"global": [],
"firewalls": {}
}Add support for custom firewall nameDoneAdd "whitelist" of IP's that should not be deletedDone- Update help screen to include whitelist info. (./modules/Helper)
Make the tool available from terminalDone (do-firewall)- Create better help for CLI tool. Autogenerate
./config.json,./whitelist.jsonand./config.auth.json? - Either add bearer token as a argument/flag or through environment variables. (Or something like that)
- Support different sets of rules (different rules for different firewalls)
Support multiple firewalls.Done (See--fw-nameand whitelist)
Feel free to contribute. A contribution guideline will be developed at some point when I have time.. Contributors are more than welcome at any time.
MIT Copyright Erlend Ellingsen 2018. See LICENSE.