Recommended Firewall and security settings for a Web Server

[ElGeorge]

Hello guys,

I was wondering what should be the recommended firewall rules for a Web Server running on a VPS. Although I've been around with my site for a long time this is the first time that I've been on unmanaged Virtual Dedicated, so I'm not too familiar with the recommended firewall rules that I should enforced on my server.

Basically I'll have these services on my server:

Apache running on port 80: A Social Network app and phpBB forums (plus other non-public php apps like OpenAds and phpMyAdmin)

Webmin running on port X1 (in the 10K range)

ssh2 running on port X2 (in the 10K range)

Sendmail on the default Sendmail port: I won't have an imap/pop3 service running on my server, 'cause all of my addreses are forwards to my gmail account.

Should the Firewall rules simply be close all ports for inbound traffic and open only Ports 80, X1, X2 and Sendmail port ?. Or things need to be more sophisticated ?

BTW.. other security measures I've taken:

- Don't allow login with "root" user directly on SSH
- Don't allow external access to the MySQL server

I was thinking on installing one of those "port scanning" alert system, or something like "Bastille"... are those any good ?, Would they take much CPU/Memory ??

Thanks!!

George

[Jerrycb]

Default INPUT policy DROP

- Allow inbound 80 from any
- Allow inbound 25 from any (if mail is being sent to your server)
- Allow inbound Webmin from your IP or Network (depending upon if you are static or dhcp)
- Allow inbound 22 from your IP or network

Default OUTPUT policy ACCEPT
... or ... DROP with allow established. Depends on what you need.

Default FORWARD policy DROP

The downside to locking 22 down is that if you screw up, you will lock yourself out. Another alternative is to simply run SSH on a different port than 22. It is security by obscurity, but it is better than having people bang on port 22 all day. You can also look into client authentication using PKI for the SSH.

Jerry

[Jerrycb]

Here is an example:


# Completed on Thu Jun 7 07:58:50 2007
# Generated by iptables-save v1.3.5 on Thu Jun 7 07:58:50 2007
*filter
:INPUT DROP [270:19504]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [646:64868]
-A INPUT -i venet0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -s 1.2.3.4 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p icmp -m limit --limit 5/sec -j ACCEPT
-A FORWARD -o venet0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i venet0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A OUTPUT -o venet0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
COMMIT

[Jerrycb]

The bandwidth stuff above is for bandwidth monitoring. Not required obviously.

Jerry

[kelvinn]

Also consider moving SSH to another port, just make sure to edit the firewall to allow that port before you do!

Jerry:

Like this one... -A INPUT -p icmp -m limit --limit 5/sec -j ACCEPT

[ElGeorge]

Thanks for replying guys...

I'm not that skilled yet to define things directly on IPTables so I've installed APF, is that any good??. Configuration was pretty straightforward and seems to work fine.

Basically what I've done is open inbound traffic for: 25, 80, XXXXX(SSH) and YYYYY(Webmin), but I've made SSH and Webmin to listen on a separate IP Address that will not be linked to my domain name.

It seems to work fine although I'd like to also close SSH and Webmin ports on the main IP, and leave them open only on that secondary IP. I think this can be done with APF but I still haven't discovered yet how to do it. Any ideas?

An additional layer I'd like to create would be to have Webmin and phpMyAdmin (on the separate IP) on a SSL connection, any ideas about how to do that or if possible at all?

Right now I'm not restricting outbound traffic, although that's pretty easy to do with APF. Would you recommend that?, is there any downside about restricting outbound traffic to only those ports that are allowed inbound ?

Thanks...George