Installing Ghost *OR* Why Every Site Should Be Encrypted
I have been wanting to do a blog for a while for multiple reasons.
- I a $200 hosting credit from work to do whatever I want with.
- I enjoy writing and want an outlet to do a bit from time to time.
- I think my opinion matters (not really).
- I wanted to set up my own web server and manage it to learn.
I had done WordPress servers in the past but wanted to try something new and a co-worker recommended Ghost. So I decided to go down that path.
I was intrigued to find that Rackspace already had an image for Ghost ready for orchestration. This meant that your Ghost server was one simple click away. I tried this initially but was unable to figure out where to go after spinning up the server. In retrospect, I am pretty sure the expectation was that you would spin up the server, forget about it, and simply access and manage Ghost through the Web UI. Being as I was completely new to Ghost, I had no idea where to even start. So I decided I might better served to start from scratch and spun up a vanilla Ubuntu server.
I had to look around for a minute to find the Ghost installation package and guide. This was primarilyy due to the fact that Ghost provides their own hosting service as an option. Once I found what I needed in the Developers area (does that make me a Dev now?) everything was a breeze. Their developer guide (https://support.ghost.org/developers/) was very well laid out, covered everything, and got me up and running in just a few minutes. But I wasn't going to stop there. I'm a security guy, I have to secure my server right?
Securing the Server
Although I knew the basics of securing a server (firewall, SSH keys, not logging in as root, etc.) I was not super familiar with doing all of this off the top of my head. I found a great Rackspace Support Network article on securing a Linux server. This got me going right where I needed to go. I configured my account for sudo access, disabled root login via SSH, changed my SSH port, and set up IPTables to block all traffic that was not for my web server or management over SSH. Briana thought it was funny when I told her I had to secure my server because it was now "out in the wild."
I have to be honest though, I was a little nervous during this stage about locking myself out of the server either with my SSH config or with a bad firewall rule. The looming threat of having to either start over or submit a support ticket made me really think through each step and the follow-on effects before I hit enter on each command. But when I was done, I felt great about the fact that I was doing the right sort of security work.
Setting Up SSL
One of my pet peeves in today's internet age is website that do not use HTTPS. I always used to decry standard HTTP sites and lament about how easy it is to install certs and encrypt connections to your website. But I had never done it myself! What business did I have getting up in anyone's chili about SSL/TLS? Aside from knowing that you can get free certs I really had no first-hand knowledge. Well, this was my opportunity to finally setup SSL/TLS certs on my own.
I had heard a ton about Let's Encrypt and their free SSL/TLS certificates. Ghost has great documentation on how to configure the NGINX front end web server for HTTPS and Let's Encrypt has great documentation and how to obtain, install, and maintain certificates. These two sets of documentation together allowed me to install certs and secure my website in under 30 minutes...for free...without any outside assistance.
The Electronic Frontier Foundation (EFF) distributes a utility to automate the generation of certs from Let's Encrypt and the installation of them on your server. This made configuring my server the way I wanted so easy.
Configuring my server with at least a moderate security baseline and securing access to the web site itself was extremely easy. Is my server impervious to attack? Absolutely not, but I am sure that I have done my part to not make myself and easy target.
Seeing how easy setting up a secure website was, I have even less appetite for companies and organizations that either refuse or do not understand how to implement secure practices on the web. There really is no excuse for not encrypting your website, even if you think you have nothing to protect.