How to whitelist ip on digitalocean

This tutorial will show you how to whitelist IP addresses for Digital Ocean droplets $10 Digital Ocean credit: Digital Ocean … .

Nội dung chính Show

Cloud firewall – DigitalOcean firewall service
DigitalOcean : whitelist IP – 5 common issues to avoid
What is the Whitelisting?
Why do I have to whitelist Hackmetrix?
But what if I don’t want to do it?
How can I whitelist?
AWS Firewall (ACL)
DigitalOcean Firewall

source

This tutorial will show you how to whitelist IP addresses for Digital Ocean droplets

$10 Digital Ocean credit:

Digital Ocean Firewall Documentation:

Twitter:

Server attacks become complex day by day.

That’s why, Droplet owners use stringent security measures.

But, there are scenarios where they need to whitelist trusted IP addresses to bypass these security restrictions.

That’s why, we often receive requests from DigitalOcean Droplet owners to whitelist IP as part of our DigitalOcean Managed Services.

Whitelisting IP address from the DigitalOcean control panel is an easy process, but things can go wrong if not done properly.

Today, let’s discuss the steps to whitelist an IP and the 5 common issues to avoid while whitelisting an IP in DigitalOcean.

Cloud firewall – DigitalOcean firewall service

Before we move on to the steps, let’s first get a brief idea of Cloud firewall.

DigitalOcean uses built in firewall service “Cloud firewall” to secure the Droplets.

Here, all rules are organized in a centralized location and applies to all Droplets.

And, they block all traffic except the ones that are explicitly opened in Cloud firewall.

In other words, it blocks all connections to the ports that aren’t on a whitelist, or is from a source that doesn’t fit the rules in firewall.

So, if you need an IP to access your Droplet or to allow connections to an IP , you’ve to explicitly add it in firewall.

DigitalOcean : whitelist IP – 5 common issues to avoid

Droplet owners usually whitelist an IP from the DigitalOcean control panel using the following steps.

Go to Networking > Firewalls > Create Firewall.
Add Inbound rules to allow incoming connections.
Add Outbound rules to allow outgoing connections.
Assign Droplet to these firewall rules.

Looks easy right. But, this can go wrong if it’s not done properly.

1) Messed up firewall rules

Usually, we create a firewall from Networking > Firewalls > Create Firewall in DigitalOcean control panel.

How to create firewall in DigitalOcean Droplet?

But, we’ve seen cases where Droplet owners approach us and say that they have messed up the firewall rules and are not sure where to add the new rule.

In these cases, our Support Engineers first analyze the firewalls created in the Droplet.

And, we organize them based on the roles done by each rule, so that customers can categorize each rule based on their roles in the Droplet.

For example, consider a Droplet running WordPress websites.

In this case, our Security experts create 2 firewalls, one for whitelisting HTTP/HTTPS ports and one for whitelisting SSH port.

[Want to fix the messed up firewall rules in your server? Our Support Experts are always here for your help.]

2) Wrong Inbound/Outbound rules

Inbound rules define the type of traffic that is allowed to which port and from which source.

While, the outbound rules define the type of traffic that leaves the Droplet from each port to selected destinations.

If no rules are specified, all incoming and outgoing connections are dropped.

And, these rules can be managed from Inbound/Outbound rules section of DigitalOcean control panel.

How to whitelist incoming connection from an IP?

However, we’ve seen cases where Droplet owners use incorrect protocol details while whitelisting IP address.

For example, many fundamental services such as ping, DNS lookups, web requests require outbound UDP.

If protocol is not properly selected during whitelisting an IP address, the entire task becomes unsuccessful and the whitelist rule doesn’t perform the intended task.

In such cases, our Support Engineers, analyze the Inbound/Outbound rules configured in the Droplet and ensure that correct protocol, ports, etc. are given in each firewall rules.

3) Forgot to Assign droplet

If the created firewall rules has to be applied to a Droplet, Droplet owners must explicitly add the Droplets using the Apply to Droplet feature.

But, Droplet owners often miss this step and contact us saying that their firewall rules are not active in their Droplets.

Therefore, our Support Engineers make it a point to map the Droplet to the corresponding firewall rules.

Similarly, DigitalOcean allows up to 10 Droplets per firewall.

In such cases, we use Tags, which are text labels to group Droplets to easily identify it.

Once we’ve tagged the Droplets, we use these tags to map them with firewall rules. In this way, we overcome the individual Droplet limit for firewalls.

4) Difficult to manage multiple Droplets

Eventhough whitelisting IP address from the DigitalOcean control panel is quite easy, it becomes a tedious task when you have many Droplets to manage.

In such cases, our Hosting Engineers use the DigitaOcean doctl command line utility to manage the firewall.

For example, to create a firewall named testing and allow incoming connections from IP 102.xx.10x.156 to port 22, we use the below command.

doctl compute firewall create --name testing --inbound-rules "protocol: tcp, ports:22 address:102.xx.10x.156"

Similarly, if we need to whitelist multiples IP addresses in the firewall, our Cloud Experts create custom scripts to make it a pain-free task.

5) Whitelist IP on a network interface

Sometimes, Droplet owners need to whitelist connections to one network interface.

Since DigitalOcean doesn’t support this feature, our Hosting Engineers use host-based firewall services.

For example, CentOS server uses iptables as its firewall service while Ubuntu uses UFW.

So, to whitelist all connections on interface eth0, we use the below rule in iptables.

iptables -A INPUT -i eth0 -j ACCEPT

[Need a firewall expert to manage the firewall rules in your server? Our Server Experts can do it for you. We are online 24/7.]

Conclusion

In short, Droplet owners often need to whitelist trusted IP addresses to bypass the security restrictions in the server. Today, we’ve discussed the steps to whitelist an IP in DigitalOcean, the 5 common issues to avoid, and the solution to these common problems from our Cloud Experts.

One of the first things that we ask from our users after they create their Hackmetrix account is to whitelist our IP addresses in their firewall rules.

Because Hackmetrix simulates attacks on your site or app in order to report vulnerabilities and show you how to fix them, it works best if your firewall lets us do our thing.

Now, since we’ve gotten a few questions as to how and why do this, we wrote this article to explain what whitelisting means, and the step by step instructions to do it in 3 of the most popular services for developers: AWS, DigitalOcean, and Cloudflare.

Let’s dive in!

What is the Whitelisting?

First things first: IP whitelisting doesn’t mean you’ll turn off your firewall.

A firewall whitelist is a set of configurations that let you specify which IPs can have access to your platform, allowing even suspicious behavior, but keeping your security configurations with any other addresses that are not on that whitelist.

Why do I have to whitelist Hackmetrix?

As I mentioned before, because we need to allow “suspicious behavior”. If you are trying to use Hackmetrix to test your website, we are that suspicious behavior that you need allow behind your firewall, and you will need to whitelist our IP.

But what if I don’t want to do it?

Then the results you’ll get on your report could be off – by a lot. After a few attacks, the firewall will see our server as a threat and it will start to block the attacks.

This makes it very hard for a scan to be completed, and might even force Hackmetrix to increase the time between requests by so much that the scan might never end.

Additionally, firewalls are not a vulnerability fixer.

Firewalls are a measure to mitigate attacks, and they don’t guarantee that your application code is safe, nor your application structure. Because of this, if an attacker finds a way to bypass your firewall/WAF, the platform will stay vulnerable through all the security issues that weren’t detected and fixed – even after you go live.

How can I whitelist?

How to do this can vary depending on your firewall, but you can find help on how to whitelist IPs for some of the most common ones in the following list.

Cloudflare

The first screen you’ll see immediately after you login will be the home screen. This view shows the websites you have protected with Cloudflare, select the site on which you want whitelist the IP address.

Now you have to look for the Firewall option in the top horizontal list. Once in the Firewall settings scroll down and you will find yourself in a subsection called IP Firewall, this section has the Access Rules that will allow you to whitelist.

Here you will have an Access Rules Search followed by the three fields we need: in the first field (text) we need to specify the host/IP or range of hosts/IPs that we want allow.

The second field (dropdown) is the action that we want to execute over the host we have wrote, in this case, Whitelist.

And the third field, a dropdown too, allows us to run this rule in all our websites under Cloudflare, or only in the website the configurations are.

We can also find a fourth option, this is not important but allows us to leave a message or identifier. Finally click the Add button.

So, in conclusion:

Go to the website in whitelist an IP
Go to the Firewall option
Scroll down to Access Rules
Add the IP/Host to whitelist, select the Whitelist option and de domain over which the rule will have effect.
Click Add

AWS Firewall (ACL)

Ok, finding the correct settings to configure here can be a bit complicated, so hopefully these instructions are clear.

Once we are inside the application we need to go to the EC2 service section, we can find it by clicking in the Services dropdown located at the right top menu.

In the EC2 Dashboard we’ll find a whole lot of settings, but we are looking for the Security Groups option, which we can find in the Network & Security section in left menu.

Security Groups act as a virtual firewall that controls traffic for one or more instances. This panel will allows us to create different kinds of rules for how each instance should behave against generic or specific requests, in other words, this item will allow us to whitelist IPs.

This screen shows a button to Create Security Group, click that and you’ll see a new modal window to set the Security Group information (name, description, VPC) and its rules. These rules will be what define the whitelisting.

Finally, we need to go to the Inbound tab and set the first Type dropdown under All traffic. Right away we can see how the two following fields –Protocol and Port Range– are automatically filled out with All and 0 – 65535 to cover the whole network. Next, we’ll set the Source dropdown under Custom and set the IP/host to whitelist in the text box.

To finalize we can add a description as a guide of the rule and at last we click on Create button.

Congratulations! We have created our whitelist rule 😀 But, which EC2 instance is working on? We still have to set our new Security Group to an EC2 instance, so, from where we are, we will go to the EC2 Dashboard and click on Running Instances.

Once there select the instance on which we want the rule to run, and click the Actions dropdown. You’ll now see a Networking submenu with the Change Security Groups option, click on it. A modal window should pop up containing a Security Groups list, find the one you just created and select it, after that click on Assign Security Groups.

There, you’ve successfully whitelisted an IP on AWS!

To sum up:

Go to EC2
Go to Security Groups in the left menu
Click on Create Security Group
Set the group information
In the Inbound tab click on Add Rule button
Set Type in All traffic, Source in Custom, and the IP/host to whitelist in the text box
Add a description if you want and click the Create button
Go to the EC2 Dashboard
Go to Running Instances
Select the instance on which the rule should run
Go to the Actions dropdown, Networking, Change Security Groups
Look for your Security Group and select it
Click on Assign Security Group

DigitalOcean Firewall

Ok, this case is fortunately easier than before. Once we have logged in into the DigitalOcean panel, we can see a left menu with a Manage submenu, click that and you’ll see a Droplets option. Go to Droplets and you will see a list with your DigitalOcean’s instances, select the droplet where you want to whitelist the IP address.

Inside the Droplets section you will find a secondary menu before the main menu on the left, there you will find the Networking option, click on it. Scroll down to the bottom and you’ll see a small section titled Firewalls with a button that says Manage Firewalls.

If you click this button you will go to the Firewalls subsection on the Networking page, here you can find another button that says Create Firewall and a list with all the firewalls already up.

At this point, two options exist: edit one of those firewall, or create one. In both of them, the steps are same, so, click the firewall that is acting over the droplet where you want to whitelist, or if you want to create a new one to do this, click on Create Firewall (with this option you will have to give the firewall a name).

What we are going to do now is to create a new Inbound Rule (you got it, under the Inbound Rules section), so to do this we need find the New Rule dropdown. In it you’ll find two options: All TCP and All UDP. Because these options are independent, to enable both of them we will have to create two different rules, one for each option. All the other information will be the same.

So, select one of these options under the New Rule dropdown. In the Sources text box, we will find two cards: All IPv4 and All IPv6, delete them and write the IP/host you need to whitelist.

To finish, if you are editing an existing firewall, click on Save button next to the text box. If you are creating a new firewall then at the end of the page, in the Apply to Droplets section, you’ll need to specify the droplet over which the firewall will act. After doing this click on the Create Firewall button at the page bottom. You’re done!

Let’s review:

Go to Droplets section in the left menu
Select the droplet where you want to whitelist the IP address
Go to Networking
Scroll down and click the Manage Firewalls button
If you want to edit an existing firewall:
- Select the firewall to edit from the list
- In Inbound Rules section, select All UDP/All TCP (create a rule for each one) in the New Rule dropdown
- Delete the cards All IPv4 and All IPv6 from the Sources text box and write the IP/host you want to whitelist
- Click on the Save button next to the Sources box
If you want to create a new firewall:
- Click Create Firewall
- Set a name
- In the Inbound Rules section, select All UDP/All TCP (create a rule for each one) in the New Rule dropdown
- Delete the cards All IPv4 and All IPv6 from Sources text box and write the IP/host you want to whitelist
- Select the droplet where you want to the rule to act
- Click Create Firewall at the bottom of the page

Great! So now you know how to whitelist any IP in your firewall rules, and why it might me convenient to do so.

If you have a Hackmetrix account and you followed this process with our addresses, this means that we can now show you even better results on the potential vulnerabilities on your site or app.

Don’t have an account yet? You can make one and try out our free plan, you’ll get a free scan every month, with a detailed report on every security flaw found on your site and tips on how to fix them.