This is how I set up a whitelisted IP on an UpCloud VM and WordPress using a VPN to get a static IP address
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
Buy a domain name from Namecheap here.
Before you begin
Take a backup of WordPress files + database and take a snapshot of your VM (see my UpCloud VM guide here).
Having a ready backup IS a good idea.
Whitelisting is not bulletproof but it is an important link in the security chain. Security is only as good or bad as the strength of your weakest link.
Using updated software, applying patches, using HTTPS, using a reliable host in a reliable location, using good passwords are equally important as IP filtering. Whitelisting IP’s goes a long way to ensuring you have least access privileges on connections.
Remember to scan your site with OWASP Zap, Qualys and Kali Linux too.
What IP’s are you going to Whitelist?
Q1) Does your ISP offer a static IP address (or a dynamic IP)?
My ISP does NOT provide a static IP by default (I can pay $20 a month for one (that’s too expensive)).
You can check your public IP by loading http://icanhazip.com/ (this will return your public IPV4 address).
Load https://ipv6.icanhazip.com/ to view your IPV6 IP (if you have one)
Q2) Do you need to whitelist IP addresses while on the go (Mobile)? If so I would recommend you whitelist a VPN’s IP or IP range.
Recently I had Apache web server auto-install and knock out my NGINX web server and I needed to login on a mobile device to investigate, Luckily I whitelist my VPN’s IP and logged in from my mobile device and resolved the issue.
Use a VPN to get a static IP
If you don’t have a static IP or you want to connect to your site on the go (Mobile) you can set up a VPN and use their static IP
I was using http://cyberghostvpn.com/ to have a static IP but a server failure in Sydney caused my defined whitelisted IP to disappear so I change to https://protonvpn.com/ (as Cybergost were unable to provide known IP’s of VPN servers).
TIP: Don’t just whitelist one server, whitelist a few as you never know when a server will go down.
Here is a screenshot of the 1st VPN I tried (Cyberghost), Cyberghost VPN is connected to a specified server (Dallas).
I switched to ProtonVPN.
Here is a screenshot of ProtonVPN connected to a Switzerland server. Read more about Proton VPN here.
I set Proton VPN to auto-start and connect to my desired server
Proton VPN offered me a 7-day PLUS trial (All Countries, 5 devices, highest speed, secure core etc) after I started using the free version (3 countries, 1 device, speed low). I assume everyone gets the same PLUS trail offer.
You can view Proton plans and pricing here.
Ok, now that we know how to get a static IP, let’s configure some firewalls.
Network Firewall at UpCloud
I use the awesome UpCloud to hold my domains (read more about UpCloud performance here). You can log in to your UpCloud Dashboard and load the server list, click your server and then click Firewall and define firewalls.
Firewall: Open IPv4/IPv6 ports for:
- 53 (DNS)
- 80 (HTTP)
- 443 (HTTPS)
Only allow access to port 22 from whitelisted IP’s (or IP ranges)
I like to set separate firewall rules for IPV4 and IPV6, for TCP or UDP and I limit rules to certain IP range and port.
I also like to run a ufw firewall (more information on ufw) on my Ubuntu server (read this guide on securing Ubuntu in the cloud and running a Lynis audit).
Manually setup firewall rules in ufw.
sudo ufw allow from 22.214.171.124 to any port 22 sudo ufw allow from 126.96.36.199 to any port 22 sudo ufw allow from 188.8.131.52 to any port 22
Don’t forget t restart your firewall
sudo ufw disable sudo ufw enable
Run a local nmap scan to find open ports
nmap -v -sT localhost Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-04 22:30 AEST Initiating Connect Scan at 22:30 Scanning localhost (127.0.0.1) [1000 ports] Discovered open port 25/tcp on 127.0.0.1 Discovered open port 22/tcp on 127.0.0.1 Discovered open port 80/tcp on 127.0.0.1 Discovered open port 443/tcp on 127.0.0.1 Discovered open port 3306/tcp on 127.0.0.1 Completed Connect Scan at 22:30, 0.02s elapsed (1000 total ports) Nmap scan report for localhost (127.0.0.1) Host is up (0.000086s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 443/tcp open https Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
Don’t be concerned if you see open ports from a local nmap scan (e.g port 22 or 3306), these are locally open. We need to scan externally to see if these ports are opened.
Scan your site with an external nmap tool like pen-test-tools or here.
You should not have non-web based service ports freely open externally (web-based ports e.g 80 and 443 are ok)
Port 22 access should be whitelisted to select IP’s only. You should not have any database ports open externally.
Whitelisting WordPress Access
Download WordFence plugin for WordPress from https://www.wordfence.com/
Read more on downloading WordPress plugins from the command line here. Read my past Wordfence post here.
Once Wordfence is installed open the WordFence All Options screen (/wp-admin/admin.php?page=WordfenceOptions).
Now you can add your static IP (or IP ranges) to the WordFence whitelist.
Setup auto block for any non whitelisted Itryingng to login to /wp-login.php
I permanently ban any IP accessing my login page (there are many).
What to do with rejected IP connections?
Wordfence will block connections to WordPress. I’d suggest you setup fail2ban to block other unwanted connections at network level too.
You should now have a VM that will allow port 22 access by whitelisted IP’s and a WordPress that only allows logins from whitelisted IP’s.
- If you forget to start your VPN you can’t log in to your VM via port 22 or log in to WordPress (excellent, this is by design).
- Secure (need I say more)
I hope this guide helps someone.
Please consider using my UpCloud referral code and get $25 UpCloud VM credit for free when you signup to create a new VM.
Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]
v1.2 Added Proton plans link
v1.1 Added auto block WordFence option
v1.0 Initial Post