Note on ufw for install / customize

Author: yanosz

_posts/2019-02-14-customize.md

@@ -42,11 +42,13 @@ swfSlidesRequired=false
 
 The SWF files are not needed by the HTML5 client.
 
-## Restrict access to specific ports
+## Secure your system -- restrict access to specific ports
 
-If your server is behind a firewall already -- such as running within your company or on an EC2 instance behind a Amazon Security Group -- and the firewall is enforcing the above restrictions, you don't a second firewall and can skip this section.
+Configuring IP firewalling is *essential for securing your installation*. By default, many services are reachable across the network. This allows BigBlueButton operate in clusters and private data center networks -- but it creates a significant attack surface, if your BigBlueButton server is publicly available on the internet.
 
-If your BigBlueButton server is publicly available on the internet, then, for increased security, you should restrict access only to the following needed ports:
+If your server is behind a firewall already -- such as running within your company or on an EC2 instance behind a Amazon Security Group -- and the firewall is enforcing the above restrictions, you don't need a second firewall and can skip this section.
+
+BigBlueButton comes with a [UFW](https://launchpad.net/ufw) based ruleset. It it can be applied on restart (c.f. [Automatically apply configuration changes on restart](#automatically-apply-configuration-changes-on-restart)) and restricts access only to the following needed ports:
 
 * TCP/IP port 22 for SSH
 * TCP/IP port 80 for HTTP
@@ -73,6 +75,8 @@ ufw --force enable
 
 These `ufw` firewall rules will be automatically re-applied on server reboot.
 
+Besides IP-based firewalling, web application firewalls such as [ModSecurity](https://modsecurity.org/)  provide additional security by checking requests to various web-based components.
+
 ## Extract the shared secret
 
 Any front-end to BigBlueButton needs two pieces of information: the hostname for the BigBlueButton server and its shared secret (for authenticating API calls).  To print out the hostname and shared secret for you BigBlueButton server, enter the command `bbb-conf --secret`:

_posts/2019-02-15-install.md

@@ -548,7 +548,7 @@ If this server is intended for production, you should
 
 * [Assign the server a hostname](#assign-a-hostname)
 * [Install a SSL certificate to support HTTPS](#configure-ssl-on-your-bigbluebutton-server)
-* [Restrict access to specific ports](/2.2/customize.html#restrict-access-to-specific-ports)
+* [Secure your system -- restrict access to specific ports](/2.2/customize.html#secure-your-system--restrict-access-to-specific-ports)
 * [Configure the server to work behind a firewall](/2.2/configure-firewall) (if needed)
 * [remove the API demos](/2.2/customize.html#remove-the-api-demos) (if you had them installed for testing)
 * [Set up a TURN server](/2.2/setup-turn-server.html) (if your server is on the Internet and you have users accessing it from behind restrictive firewalls)