From 7f7f15b95f77f57302878cabee22db04ac9060eb Mon Sep 17 00:00:00 2001 From: Jonathan Visser Date: Mon, 21 Jul 2025 14:48:19 +0200 Subject: [PATCH 1/2] Split up firewall docs, add SSH allowlist docs --- docs/best-practices/firewall.md | 72 ++------------- .../allowing-forusp-to-the-firewall.md | 38 ++++++++ .../firewall/ftp-waf-database-allowlist.md | 90 +++++++++++++++++++ docs/best-practices/firewall/ssh-allowlist.md | 57 ++++++++++++ 4 files changed, 192 insertions(+), 65 deletions(-) create mode 100644 docs/best-practices/firewall/allowing-forusp-to-the-firewall.md create mode 100644 docs/best-practices/firewall/ftp-waf-database-allowlist.md create mode 100644 docs/best-practices/firewall/ssh-allowlist.md diff --git a/docs/best-practices/firewall.md b/docs/best-practices/firewall.md index dd4248ba..934c294b 100644 --- a/docs/best-practices/firewall.md +++ b/docs/best-practices/firewall.md @@ -7,69 +7,11 @@ myst: # Firewall -In the text below we will explain how you can add an IP to the whitelist by using the control panel or CLI (command-line interface). Whitelisting an IP can be for multiple reasons like, connecting via FTP, connecting to a database or for security scans like ForusP. - -## Adding IP Addresses in the allowlist via the control panel for FTP, WAF and database - -Follow these steps to whitelist an IP addresses for FTP: - -- Go to the [control panel](https://my.hypernode.com) -- Log in with your credentials -- Once logged in, select the Hypernode you wish to configure -- Click on **Allowlist** from the menu -- Select **Rule type** and choose here for example **FTP** from the dropdown -- Enter the IP address you want to add to the whitelist -- Provide a descriptive name for the entry for example **OfficeArnhem**. Use descriptive names when adding entries to help identify their purpose in the future. -- Click on **Save** to apply the changes - -### Adding IP Addresses by using CLI - -For users comfortable with the CLI, you can add the IP addresses directly on the server. This requires logging into the server using SSH. - -```bash -hypernode-systemctl whitelist add ftp 1.2.3.4 --description "OfficeArnhem" -``` - -If you want to remove an added registration, use the command below: - -```bash -hypernode-systemctl whitelist remove ftp 1.2.3.4 -``` - -## How to add ForusP to the whitelist - -To ensure that ForusP can perform their scan on your Hypernode without anyissues, the IP addresses associated with ForusP must be added to the Hypernode Web Application Firewall (WAF). The WAF acts as a layer of protection by filtering incoming traffic and blocking potential threats. Adding the necessary IP addresses to the allowlist ensures that the scanning process runs smoothly without interruptions. You can achieve this by either using the Hypernode Control Panel or by executing commands directly on the server using the command-line interface (CLI). - -### Adding IP Addresses in the allowlist via the Control Panel - -Follow these steps to add ForusP's IP addresses using the Hypernode Control Panel: - -- Go to to my.hypernode.com -- Log in with your credentials -- Once logged in, select the Hypernode you wish to configure -- Click on **Allowlist** from the menu -- Select **Rule type** and choose **WAF** from the dropdown -- Enter the IP address you want to allow - IP addresses ForusP: **154.16.73.227** | **132.226.222.205** | **144.24.249.196** -- Provide a descriptive name for the entry for example ForusP. Use descriptive names when adding entries to help identify their purpose in the future. -- Click on **Save** to apply the changes - -Repeat the steps above to add the others. The IP addresses you add will become active within a few minutes, allowing ForusP to access your Hypernode environment without being blocked by the firewall. - -### Adding IP Addresses by using CLI - -For users comfortable with the command-line interface, you can add the IP addresses directly on the server. This requires logging into the server using SSH. Follow these steps: - -```bash -hypernode-systemctl whitelist add waf 154.16.73.227 --description "ForusP" -``` - -```bash -hypernode-systemctl whitelist add waf 132.226.222.205 --description "ForusP" -``` - -```bash -hypernode-systemctl whitelist add waf 144.24.249.196 --description "ForusP" +```{toctree} +--- +caption: Table of Contents +maxdepth: 1 +glob: +--- +firewall/* ``` - -By following the steps outlined above, you can ensure that ForusP has the necessary access to perform scans on your Hypernode environment without encountering any firewall-related issues. Proper configuration of the WAF helps maintain a secure and efficient system while allowing trusted services to operate seamlessly. diff --git a/docs/best-practices/firewall/allowing-forusp-to-the-firewall.md b/docs/best-practices/firewall/allowing-forusp-to-the-firewall.md new file mode 100644 index 00000000..373c8d55 --- /dev/null +++ b/docs/best-practices/firewall/allowing-forusp-to-the-firewall.md @@ -0,0 +1,38 @@ +--- +myst: + html_meta: + description: Learn how to allow FocusP on the Hypernode Allowlists + title: Allowing FocusP to the Firewall | Hypernode +--- + +# How to add ForusP to the whitelist + +To ensure that ForusP can perform their scan on your Hypernode without anyissues, the IP addresses associated with ForusP must be added to the Hypernode Web Application Firewall (WAF). The WAF acts as a layer of protection by filtering incoming traffic and blocking potential threats. Adding the necessary IP addresses to the allowlist ensures that the scanning process runs smoothly without interruptions. You can achieve this by either using the Hypernode Control Panel or by executing commands directly on the server using the command-line interface (CLI). + +## Adding IP Addresses in the allowlist via the Control Panel + +Follow these steps to add ForusP's IP addresses using the Hypernode Control Panel: + +- Go to to my.hypernode.com +- Log in with your credentials +- Once logged in, select the Hypernode you wish to configure +- Click on **Allowlist** from the menu +- Select **Rule type** and choose **WAF** from the dropdown +- Enter the IP address you want to allow + IP addresses ForusP: **154.16.73.227** | **132.226.222.205** | **144.24.249.196** +- Provide a descriptive name for the entry for example ForusP. Use descriptive names when adding entries to help identify their purpose in the future. +- Click on **Save** to apply the changes + +Repeat the steps above to add the others. The IP addresses you add will become active within a few minutes, allowing ForusP to access your Hypernode environment without being blocked by the firewall. + +## Adding IP Addresses by using CLI + +For users comfortable with the command-line interface, you can add the IP addresses directly on the server. This requires logging into the server using SSH. Follow these steps: + +```bash +hypernode-systemctl whitelist add waf 154.16.73.227 --description "ForusP" +hypernode-systemctl whitelist add waf 132.226.222.205 --description "ForusP" +hypernode-systemctl whitelist add waf 144.24.249.196 --description "ForusP" +``` + +By following the steps outlined above, you can ensure that ForusP has the necessary access to perform scans on your Hypernode environment without encountering any firewall-related issues. Proper configuration of the WAF helps maintain a secure and efficient system while allowing trusted services to operate seamlessly. diff --git a/docs/best-practices/firewall/ftp-waf-database-allowlist.md b/docs/best-practices/firewall/ftp-waf-database-allowlist.md new file mode 100644 index 00000000..66aaf177 --- /dev/null +++ b/docs/best-practices/firewall/ftp-waf-database-allowlist.md @@ -0,0 +1,90 @@ +--- +myst: + html_meta: + description: Learn how to manage IP addresses on the Hypernode allowlists + title: How to allowlist FTP, WAF and database? | Hypernode +--- + +# How to allowlist FTP, WAF and database + +In the text below we will explain how you can add an IP to the whitelist by using the control panel or CLI (command-line interface). Whitelisting an IP can be for multiple reasons like, connecting via FTP, connecting to a database or for security scans like ForusP. + +## Adding IP Addresses in the allowlist via the control panel for FTP, WAF and database + +Follow these steps to whitelist an IP addresses for FTP: + +- Go to the [control panel](https://my.hypernode.com) +- Log in with your credentials +- Once logged in, select the Hypernode you wish to configure +- Click on **Allowlist** from the menu +- Select **Rule type** and choose here for example **FTP** from the dropdown +- Enter the IP address you want to add to the whitelist +- Provide a descriptive name for the entry for example **Office webshop**. Use descriptive names when adding entries to help identify their purpose in the future. +- Click on **Save** to apply the changes + +## Using the hypernode-systemctl whitelist command (CLI) + +The `hypernode-systemctl whitelist` command allows you to manage allowlist entries for different services on your Hypernode. You can use it to add, remove, or list allowlist entries for FTP, WAF, database, and SSH. + +### Command structure + +``` +hypernode-systemctl whitelist [-h] {add,remove,get} ... +``` + +- **add**: Add an IP address to the allowlist for a specific service. +- **remove**: Remove an IP address from the allowlist for a specific service. +- **get**: List current allowlist entries. You can filter by service type. + +### Supported types + +You can specify the type of service for which you want to manage the allowlist: + +- `ftp` +- `waf` +- `database` +- `ssh` + +### Adding an IP with a description + +You can add a description to help identify the purpose of the allowlist entry: + +``` +hypernode-systemctl whitelist add [--description DESCRIPTION] {waf,database,ftp,ssh} ip +``` + +**Example:** + +``` +hypernode-systemctl whitelist add --description "Office SSH access" ftp 1.2.3.4 +``` + +### Removing an IP from the allowlist + +To remove an IP address from the allowlist for a specific service, use the following command: + +``` +hypernode-systemctl whitelist remove {waf,database,ftp,ssh} ip +``` + +**Example:** + +``` +hypernode-systemctl whitelist remove ftp 1.2.3.4 +``` + +### Listing allowlist entries + +To view all allowlist entries, use: + +``` +hypernode-systemctl whitelist get +``` + +To filter by type (e.g., only FTP): + +``` +hypernode-systemctl whitelist get --type ftp +``` + +This will show all currently allowlisted IPs for the specified service. diff --git a/docs/best-practices/firewall/ssh-allowlist.md b/docs/best-practices/firewall/ssh-allowlist.md new file mode 100644 index 00000000..97717099 --- /dev/null +++ b/docs/best-practices/firewall/ssh-allowlist.md @@ -0,0 +1,57 @@ +--- +myst: + html_meta: + description: Learn how the SSH firewall allowlist works on Hypernode and how to + manage SSH access securely + title: How does the SSH allowlist work? | Hypernode +--- + +# How does the SSH allowlist work? + +The SSH firewall allowlist on Hypernode works differently from the allowlists for FTP, WAF, and database. Understanding this difference is crucial to avoid accidentally locking yourself out of your server. + +## Default behavior: SSH vs. other allowlists + +- **FTP, WAF, and database**: By default, all incoming connections are blocked. Only IP addresses that are explicitly allowlisted will be able to connect. +- **SSH**: By default, SSH is open to the entire internet. Anyone can attempt to connect to your server via SSH unless you add entries to the SSH allowlist. + +## What happens when you add an SSH allowlist entry? + +As soon as you add one or more entries to the SSH allowlist, the firewall will immediately block all SSH access except for the IP addresses on the list. This means: + +- If your current IP is not on the allowlist, you will lose access and may see a "Timed Out" or "Connection refused" error when trying to connect via SSH. +- This is different from FTP, WAF, and database, where you must add entries to allow any access at all. + +> **Warning:** +> If you add an SSH allowlist entry, make sure to include your own IP address! Otherwise, you may lock yourself out of your server. + +## Example: Whitelisting your IP for SSH + +To allow your current IP address to access SSH, use the following command (replace `1.2.3.4` with your actual IP): + +``` +hypernode-systemctl whitelist add --description "My office IP" ssh 1.2.3.4 +``` + +You can add multiple IPs if you need to allow access from several locations: + +``` +hypernode-systemctl whitelist add --description "Home" ssh 5.6.7.8 +hypernode-systemctl whitelist add --description "Colleague" ssh 9.10.11.12 +``` + +## Removing an IP from the SSH allowlist + +To remove an IP from the SSH allowlist: + +``` +hypernode-systemctl whitelist remove ssh 1.2.3.4 +``` + +If you remove all entries from the SSH allowlist, SSH will again be open to the entire internet. + +## Troubleshooting: Locked out after adding an SSH allowlist entry + +If you are locked out after adding an SSH allowlist entry (for example, you see a "Timed Out" error), you will need to: + +- Use the Hypernode control panel to add your IP to the SSH allowlist. From 484571765dc12b211c74a3d0c687ec0f281087b9 Mon Sep 17 00:00:00 2001 From: Jonathan Visser Date: Mon, 21 Jul 2025 14:54:13 +0200 Subject: [PATCH 2/2] Add control panel flow to the SSH allowlist document --- docs/best-practices/firewall/ssh-allowlist.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/best-practices/firewall/ssh-allowlist.md b/docs/best-practices/firewall/ssh-allowlist.md index 97717099..2ec21bd7 100644 --- a/docs/best-practices/firewall/ssh-allowlist.md +++ b/docs/best-practices/firewall/ssh-allowlist.md @@ -25,6 +25,21 @@ As soon as you add one or more entries to the SSH allowlist, the firewall will i > **Warning:** > If you add an SSH allowlist entry, make sure to include your own IP address! Otherwise, you may lock yourself out of your server. +## Adding IP Addresses to the SSH allowlist via the control panel + +You can also manage SSH allowlist entries using the Hypernode control panel. Follow these steps to whitelist an IP address for SSH: + +- Go to the [control panel](https://my.hypernode.com) +- Log in with your credentials +- Once logged in, select the Hypernode you wish to configure +- Click on **Allowlist** from the menu +- Select **Rule type** and choose **SSH** from the dropdown +- Enter the IP address you want to add to the allowlist +- Provide a descriptive name for the entry, for example **Office SSH**. Use descriptive names to help identify their purpose in the future. +- Click on **Save** to apply the changes + +Once you add one or more SSH allowlist entries, SSH access will be restricted to only the IP addresses on the list. Make sure to add your own IP address to avoid being locked out. + ## Example: Whitelisting your IP for SSH To allow your current IP address to access SSH, use the following command (replace `1.2.3.4` with your actual IP):