PSA: Selfhosting? Beware of open ports on the internet!

[prashantkamdar]

If you have all the steps given in the readme, there will be 3 ports exposed over the internet: 7777 (sl-app), 20381 (sl-email) & 5432 (postgresql).

You can verify the ports are open by running the following command from a different machine.

sudo nmap -sS <IP-ADDR> -p 7777,20381,5432

It is important to secure the Postgres port.

Using ufw doesn't help because docker writes persistent rules to the iptables.

To get around this, first run this command to allow only localhost connections to the docker containers:

iptables -I DOCKER-USER -i eth0 ! -s 127.0.0.1 -j DROP

Docker documentation reference for more info: documentation.

Next, to make the changes persistent across reboots, we are going to use iptables-persistent package.

sudo apt install iptables-persistent
sudo service netfilter-persistent save

Reboot your machine and run the above nmap command one more time to verify the said ports are not in closed/filtered state.

I have submitted a PR to add this info in the main readme file.
#584

[nguyenkims]

@prashantkamdar thanks for the suggestion. I think binding to 127.0.0.1 should be enough to avoid the container being accessible to the public. For example instead of using -p 7777:7777, we can use -p 127.0.0.1:7777:77 instead. What do you think?

[prashantkamdar]

Yes, this seems like a good solution.
But it will not be feasible for the existing hundreds (or thousands?) of existing self hosted users?

Reason: you will have to delete the existing sl-db container and recreate it with the above params.
This will essentially delete all the data.
A workaround would probably be to create a migration script before deleting the container.

[nguyenkims]

Reason: you will have to delete the existing sl-db container and recreate it with the above params.
This will essentially delete all the data.

The data is mounted via -v $(pwd)/sl/db:/var/lib/postgresql/data \ so no data should be lost when restarting the container.

I think it's enough to update the README and the upgrade.md at https://github.com/simple-login/app/blob/master/docs/upgrade.md so that when people upgrade to the latest version, they can also change the port binding.

[prashantkamdar]

I feel stupid for having missed the mounted volume of the database.
Should I delete my PR?

[nguyenkims]

No worries :). Maybe we can update the PR to bind the port to 127.0.0.1 instead?

[prashantkamdar]

Thank you @nguyenkims !

Sorry it took a while, but I rebased and created the PR per your suggestion.
If you feel the PR is good to be merged, then my kind request to please add the hacktoberfest-accepted label before merging.

[prashantkamdar]

Thank you for the merge!
#628