Topic: Letsencrypt with open ports 80 and 443 - how to harden the primary ibay

[SchulzStefan]

As letsencrypt wants to have the ports 80 and 443 on the server opened I'm questioning myself, how can spiders, robots and all other crab being prevented from access?

I have in mind https://wiki.contribs.org/Htaccess#Using_a_.htaccess_file_to_configure_htaccess_requirements_-_not_recommended.

We do not use the server as a webserver, therefore I feel really uncomfortable to have a firewall opened for incoming connections on this ports landing on the SME.

Thanks for any hints.
stefan

[Stefano]

any web server is secure as long it is up-to-date on the daemon side (apache) and the exposed web pages are secure..

a static web page, an empty one, is likely not "hackable" at all and doesn't expose any kind of vulnerability

if you use the redirect (on your page or via .htaccess), almost no one can "touch" your server.

there are thousands of SME servers exposed to wan on ports 80 and 443 and the few times we knew about a compromised machine the fault was in a bugged webapp (CMS like wordpress and joomla)

IMVVVHO you'd lower a bit your "paranoic" POV.. don't get me wrong, but SME is a secure appliance, and following the above advices you have nothing to be worried about, really

[SchulzStefan]

Stefano,

thanks for your reply.

Yes, I'm some kind of paranoid especially with data I want to keep personally.

if you use the redirect (on your page or via .htaccess), almost no one can "touch" your server.

I understood it's recommended not to use .htaccess with SME. Is that still true?

If I use a redirect in the index.htm like

<!DOCTYPE HTML>
<html>

<head>
  <meta http-equiv="refresh" content="1; URL=realdoamin-hosted-from-ISP">
</head>

will letsencrypt still work? I could imagine the requests will also be re-directed to the external domain.

regards,
stefan

[Stefano]

with such a redirection letsencrypt will work with no issues 'cause the procedure looks for a .well-known hidden subfolder

[SchulzStefan]

Thank you, I'll give it a try and will report.

regards,
stefan

[DanB35]

As letsencrypt wants to have the ports 80 and 443 on the server opened

Let's Encrypt requires that port 80 be open inbound, but not port 443.  It does require that both 80 and 443 are open outbound.

[SchulzStefan]

Let's Encrypt requires that port 80 be open inbound, but not port 443.  It does require that both 80 and 443 are open outbound.

Got this.

As I reported in the bugtracker I thought I found tonight a working solution. Without changing anything I tried to test BEFORE changing the html-redirect in the primary ibay, dehydrated -c.

This is the result:

# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
  + ERROR: An error occurred while sending get-request to https://acme-v01.api.letsencrypt.org/directory (Status 504)

Details:
<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
An error occurred while processing your request.<p>
Reference&#xxx
</BODY></HTML>

I don't understand it. Do they allow only one request per day as I created the daily cron job for the request? That worked in the night which I saw in the logs. I read the servers are sometimes not reachable. Should I just wait a few days and keep an eye on this? I mean calling this URL in a browser ends also in a timeout.

regards,
stefan

[DanB35]

No, they're having a service disruption right now.  Lots of people are getting that result.  It should be back up shortly.

[SchulzStefan]

DanB35,

you've been right, they're back.

As I followed the advice of Janet changing from *.local to a registered domain, and installing letsencrypt for one of my domains, there are coming up a few questions to me. Maybe someone could help me to understand better what's making sense now. Further I followed the advice from Stefano and added cnames for the new created subdomains (hosts are the same now in the SME) in the registered domain to point to my dyndns.

As I can see, letsencrypt created all certs, so fine so far.

BEFORE installing letsencrypt my primary domain ended *.local. It has been resolved locally. I changed this now to a real registered domain ending now in *.de. It is still resolved locally or must this be changed now?

BEFORE letsencrypt my email retrieval was set to secondary, means an external server of my ISP. Email was fetched all 5 minutes.

BEFORE letsencrypt the email delivery was set to my Internet provider's SMTP server.

The whole configuration worked fine since SME 5.x

Working now with letsencrypt certs, should I change the email retrieval and delivery? In case of changing would I have to change the mx from my ISP mailserver to the SME? What would be the advantages/disadvantages? I don't get this clearly sorted out, sorry.

Thank's for any help.
stefan

[janet]

SchulzStefan

I will answer one.

BEFORE installing letsencrypt my primary domain ended *.local. It has been resolved locally. I changed this now to a real registered domain ending now in *.de. It is still resolved locally or must this be changed now?

The resolve locally setting has nothing to do with external access to your site.
This only affects local users who will resolve their requests directly to your server without querying external DNS servers.
You might want local users to directly access the local site/domain for some reason or other, or to even access a different site (hosted locally) than what external users would access). Many possible reasons for this.

DNS for your domain is handled externally by whoever manages your domains, & external user access is directed to your server by them.

It probably does not matter whether you have resolve locally or resolve to external DNS servers set.

[SchulzStefan]

Janet,

thank you fro your reply.

Has anybody some hints/suggestions to my other question in relation with letsencrypt certs and email?

Working now with letsencrypt certs, should I change the email retrieval and delivery? In case of changing would I have to change the mx from my ISP mailserver to the SME? What would be the advantages/disadvantages? I don't get this clearly sorted out, sorry.

Would be nice to get a feedback.
stefan

edit for test result:

Did a test, here's the result of sending an email while disabling email delivery to ISP:

Hi. This is the qmail-send program at xxx.de.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<stefan.schulz@xyz.de>:
Connected to 213.00.000.000 but sender was rejected.
Remote host said: 550 5.1.0 Dynamic/Generic hostnames are blocked. Please contact your Email Provider. Your IP was 84.000.000.000. Your hostname was p57.dip0.t-ipconnect.de

That means to me this will work only with a fix IP, is that right?

[janet]

SchulzStefan

If your Internet connection for sme server uses a dynamic IP then your sme server is not likely to be trusted by other mail servers/recipient systems.
You will need to send mail via your ISPs smtp server.
Only your ISP trusts your dynamic IP as you are physically connected directly to the ISP.

This appears to be what you used to do.

[CharlieBrady]

As letsencrypt wants to have the ports 80 and 443 on the server opened I'm questioning myself, how can spiders, robots and all other crab being prevented from access?

To control well-behaved robots, create a robots.txt file. Non-well controlled robots can't be controlled; just don't put anything in the primary ibay (or any visible ibay) which you don't want them to be able to fetch. You don't need any other hardening.

You are correct about .htaccess - not recommended and not required.