Move VCN lockdown to final step (after verifying everything works)
This commit is contained in:
parent
ba3381392e
commit
b094050fa4
@ -91,19 +91,7 @@ tailscale status
|
|||||||
|
|
||||||
**From now on, connect via Tailscale:** `ssh ubuntu@clawdbot` (or use the Tailscale IP).
|
**From now on, connect via Tailscale:** `ssh ubuntu@clawdbot` (or use the Tailscale IP).
|
||||||
|
|
||||||
## 5) Lock Down VCN Security
|
## 5) Install Homebrew (ARM)
|
||||||
|
|
||||||
Now that Tailscale is running, lock down the VCN to block all traffic except Tailscale. OCI's Virtual Cloud Network acts as a firewall at the network edge — traffic is blocked before it reaches your instance.
|
|
||||||
|
|
||||||
1. Go to **Networking → Virtual Cloud Networks** in the OCI Console
|
|
||||||
2. Click your VCN → **Security Lists** → Default Security List
|
|
||||||
3. **Remove** all ingress rules except:
|
|
||||||
- `0.0.0.0/0 UDP 41641` (Tailscale)
|
|
||||||
4. Keep default egress rules (allow all outbound)
|
|
||||||
|
|
||||||
This blocks SSH on port 22, HTTP, HTTPS, and everything else at the network edge. You'll only be able to connect via Tailscale from now on.
|
|
||||||
|
|
||||||
## 6) Install Homebrew (ARM)
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
|
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
|
||||||
@ -118,7 +106,7 @@ source ~/.bashrc
|
|||||||
brew install gcc
|
brew install gcc
|
||||||
```
|
```
|
||||||
|
|
||||||
## 7) Install Clawdbot
|
## 6) Install Clawdbot
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
curl -fsSL https://clawd.bot/install.sh | bash
|
curl -fsSL https://clawd.bot/install.sh | bash
|
||||||
@ -127,7 +115,7 @@ source ~/.bashrc
|
|||||||
|
|
||||||
When prompted "How do you want to hatch your bot?", select **"Do this later"**.
|
When prompted "How do you want to hatch your bot?", select **"Do this later"**.
|
||||||
|
|
||||||
## 8) Configure Gateway with Tailscale Serve
|
## 7) Configure Gateway with Tailscale Serve
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
clawdbot config set gateway.bind loopback
|
clawdbot config set gateway.bind loopback
|
||||||
@ -143,7 +131,7 @@ This configures:
|
|||||||
- Tailscale Serve provides HTTPS and handles external routing
|
- Tailscale Serve provides HTTPS and handles external routing
|
||||||
- Authentication via Tailscale identity headers (no tokens needed)
|
- Authentication via Tailscale identity headers (no tokens needed)
|
||||||
|
|
||||||
## 9) Verify
|
## 8) Verify
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Check version
|
# Check version
|
||||||
@ -159,6 +147,18 @@ tailscale serve status
|
|||||||
curl http://localhost:18789
|
curl http://localhost:18789
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## 9) Lock Down VCN Security
|
||||||
|
|
||||||
|
Now that everything is working, lock down the VCN to block all traffic except Tailscale. OCI's Virtual Cloud Network acts as a firewall at the network edge — traffic is blocked before it reaches your instance.
|
||||||
|
|
||||||
|
1. Go to **Networking → Virtual Cloud Networks** in the OCI Console
|
||||||
|
2. Click your VCN → **Security Lists** → Default Security List
|
||||||
|
3. **Remove** all ingress rules except:
|
||||||
|
- `0.0.0.0/0 UDP 41641` (Tailscale)
|
||||||
|
4. Keep default egress rules (allow all outbound)
|
||||||
|
|
||||||
|
This blocks SSH on port 22, HTTP, HTTPS, and everything else at the network edge. From now on, you can only connect via Tailscale.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Access the Control UI
|
## Access the Control UI
|
||||||
@ -180,7 +180,7 @@ No SSH tunnel needed. Tailscale provides:
|
|||||||
|
|
||||||
## Security: Why VCN + Tailscale Is Enough
|
## Security: Why VCN + Tailscale Is Enough
|
||||||
|
|
||||||
With the VCN configured as above (only UDP 41641 open), you have **defense in depth** that makes traditional VPS hardening redundant.
|
With the VCN locked down (only UDP 41641 open), you have **defense in depth** that makes traditional VPS hardening redundant.
|
||||||
|
|
||||||
**How it works:** The VCN blocks traffic at the network edge — before it reaches your instance. Combined with Tailscale SSH (which bypasses sshd entirely), there's no attack surface for typical threats.
|
**How it works:** The VCN blocks traffic at the network edge — before it reaches your instance. Combined with Tailscale SSH (which bypasses sshd entirely), there's no attack surface for typical threats.
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user