Results 1 to 6 of 6

Thread: Recommended Firewall and security settings for a Web Server

  1. #1
    Join Date
    May 2007
    Posts
    12

    Post Recommended Firewall and security settings for a Web Server

    Hello guys,

    I was wondering what should be the recommended firewall rules for a Web Server running on a VPS. Although I've been around with my site for a long time this is the first time that I've been on unmanaged Virtual Dedicated, so I'm not too familiar with the recommended firewall rules that I should enforced on my server.

    Basically I'll have these services on my server:

    Apache running on port 80: A Social Network app and phpBB forums (plus other non-public php apps like OpenAds and phpMyAdmin)

    Webmin running on port X1 (in the 10K range)

    ssh2 running on port X2 (in the 10K range)

    Sendmail on the default Sendmail port: I won't have an imap/pop3 service running on my server, 'cause all of my addreses are forwards to my gmail account.

    Should the Firewall rules simply be close all ports for inbound traffic and open only Ports 80, X1, X2 and Sendmail port ?. Or things need to be more sophisticated ?

    BTW.. other security measures I've taken:

    - Don't allow login with "root" user directly on SSH
    - Don't allow external access to the MySQL server

    I was thinking on installing one of those "port scanning" alert system, or something like "Bastille"... are those any good ?, Would they take much CPU/Memory ??

    Thanks!!

    George

  2. #2
    Join Date
    Jun 2007
    Posts
    26

    Default

    Default INPUT policy DROP

    - Allow inbound 80 from any
    - Allow inbound 25 from any (if mail is being sent to your server)
    - Allow inbound Webmin from your IP or Network (depending upon if you are static or dhcp)
    - Allow inbound 22 from your IP or network

    Default OUTPUT policy ACCEPT
    ... or ... DROP with allow established. Depends on what you need.

    Default FORWARD policy DROP

    The downside to locking 22 down is that if you screw up, you will lock yourself out. Another alternative is to simply run SSH on a different port than 22. It is security by obscurity, but it is better than having people bang on port 22 all day. You can also look into client authentication using PKI for the SSH.

    Jerry
    Last edited by Jerrycb; 06-05-2007 at 01:39 AM.

  3. #3
    Join Date
    Jun 2007
    Posts
    26

    Default

    Here is an example:


    # Completed on Thu Jun 7 07:58:50 2007
    # Generated by iptables-save v1.3.5 on Thu Jun 7 07:58:50 2007
    *filter
    :INPUT DROP [270:19504]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [646:64868]
    -A INPUT -i venet0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state ESTABLISHED -j ACCEPT
    -A INPUT -s 1.2.3.4 -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p icmp -m limit --limit 5/sec -j ACCEPT
    -A FORWARD -o venet0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
    -A FORWARD -i venet0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
    -A OUTPUT -o venet0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
    COMMIT

  4. #4
    Join Date
    Jun 2007
    Posts
    26

    Default

    The bandwidth stuff above is for bandwidth monitoring. Not required obviously.

    Jerry

  5. #5

    Default

    Also consider moving SSH to another port, just make sure to edit the firewall to allow that port before you do!

    Jerry:

    Like this one... -A INPUT -p icmp -m limit --limit 5/sec -j ACCEPT
    Kelvin Nicholson
    http://www.helomx.com - Blacklist and availability monitoring built from the ground up for outsourced IT providers.

  6. #6
    Join Date
    May 2007
    Posts
    12

    Default

    Thanks for replying guys...

    I'm not that skilled yet to define things directly on IPTables so I've installed APF, is that any good??. Configuration was pretty straightforward and seems to work fine.

    Basically what I've done is open inbound traffic for: 25, 80, XXXXX(SSH) and YYYYY(Webmin), but I've made SSH and Webmin to listen on a separate IP Address that will not be linked to my domain name.

    It seems to work fine although I'd like to also close SSH and Webmin ports on the main IP, and leave them open only on that secondary IP. I think this can be done with APF but I still haven't discovered yet how to do it. Any ideas?

    An additional layer I'd like to create would be to have Webmin and phpMyAdmin (on the separate IP) on a SSL connection, any ideas about how to do that or if possible at all?

    Right now I'm not restricting outbound traffic, although that's pretty easy to do with APF. Would you recommend that?, is there any downside about restricting outbound traffic to only those ports that are allowed inbound ?

    Thanks...George
    Last edited by ElGeorge; 06-12-2007 at 05:43 PM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •