Security: Implement API Rate Limiting and Harden Server Security #40
Description
P.S. Must be an ACM member (since server access is involved) or must have made significant contributions and built a good rapport with the mentors to help set it up before the SU elections.
Description:
Currently, the system has several security gaps that could be misused:
-
No Proper Rate Limiting Strategy
- Should rate limiting be applied per API endpoint or globally at the server level or both.
- Without rate limiting, attackers could launch brute-force attacks, API abuse (e.g., repeatedly hitting resource-intensive endpoints), leading to service degradation or downtime.
-
Cloudflare Tunneling Not Configured for SSH
- The server currently accepts direct requests without using Cloudflare Tunneling.
- This allows attackers to bypass Cloudflare protection, at ports like 22 and target the server directly, and potentially launch DDoS attacks, scan for open ports, or exploit vulnerabilities.
-
Droplet Security
- Droplet access is not restricted to Cloudflare IP ranges or a secure VPN tunnel, increasing exposure to direct attacks.
-
Publicly Exposed Server IP
- The current server IP is publicly known, making it a target for direct attacks, bypassing any firewall or WAF configured at Cloudflare’s edge, need to change IP.
Proposed Solution:
-
Rate Limiting:
- Implement both global and per-endpoint rate limiting.
- Apply stricter limits to sensitive routes such as login, signup, or heavy endpoint like contributons.
-
Cloudflare Tunneling:
- Route SSH traffic through Cloudflare Tunnel for a secure SSH access.
- Disable any direct public access to the server.
- Disable password-based login and enforce key-based authentication only.
-
Secure Droplet Access:
- Restrict access to Cloudflare IPs only.
-
Change and Protect Server IP:
- Rotate the server’s public IP to invalidate any previously exposed addresses.
- Update firewall rules to ensure only Cloudflare traffic reaches the application.