قالب وردپرس درنا توس
Home / Tips and Tricks / Does your cloud server need a firewall? – CloudSavvy IT

Does your cloud server need a firewall? – CloudSavvy IT



Firewall illustration
Shutterstock / Anatolir

A firewall is a networking tool that runs on your server and prevents third parties from using certain ports. This makes it a useful security tool to block attackers from accessing processes that they should not. Does your server need one?

Open only the gates you need, firewall rest

The services you run on your server connect to the outside world through ports. Each port has a number and the service listens for connections on that port number. This is not always a security risk, as you often have to have open ports for users to access your service.

Ports 80 and 443 are the default ports for HTTP and HTTPS. If you are running a web server, these must be open. Port 22 is likely to be open to all new Linux installations, as it is the default SSH port. You can close this port, but you will have to move SSH to another port (which is a good idea anyway).

Without a firewall in place, all services that start a connection will have access to any port by default. It is best to have your rules defined to prevent this from happening and to ensure that nothing unexpected runs on your system. This is exactly what a firewall does ̵

1; define the rules for how processes on your server can talk to the outside world.

To check which ports are currently open on your system, you can run:

sudo netstat -plnt

Or if you want more concise production:

sudo netstat -plnt | grep "LISTEN" | awk '{print $4 "t" $7}'

These commands list each open port, along with the process that uses that port. Netstat only shows the PID and file name of the process, so if you need the entire path, you must send the PID to ps command. If you need to scan ports without access to the server, you can use the client-side nmap.

Everything else that is not specifically used to host a service should be closed with a firewall.

If everything running on your system is to be open, you may not need a firewall. But without one, any unused port can easily become open through a new process you install. You must ensure that new services do not have to be blocked.

Do not run your services on public IP addresses in the first place

Prevent services from being available to everyone, prevent by locking connections to your virtual private cloud.

A firewall is an excellent security tool, but some services should not be available worldwide. If a port needs to be open, that service is vulnerable to brute force attacks and other nasty problems. But you can prevent this by locking connections to your virtual private cloud.

Databases are the prime example of this. A database like MySQL must have an open port for administrative connections. However, if the only thing talking to the database is your web server (and you, when performing maintenance), you should keep MySQL private and only let it talk to the web server. If you need to access it, you can SSH to the web server and access the rest of the network from there.

How to configure a firewall

If you use a managed hosting service such as Amazon Web Services or Digital Ocean, your provider may have a firewall that you can manage from a web interface. If this is an option, you should configure your firewall this way.

In particular, AWS forces you to use their firewall, which is managed by security teams. Ports are all closed by default (save for port 22), so you have to open them manually from their interface. You can edit the security groups for all instances running from the EC2 Management Console and change the incoming rules.

In AWS, you can edit security groups for all instances running from the EC2 Management Console and modify incoming groups

AWS allows you to specify the source of the rule, so you can, for example, lock SSH to only your personal IP address, or make the connection between your database server and web server private.

RELATED: The Beginner’s Guide to iptables, the Linux Firewall

If you use other providers such as Linode or regular hosting, you must configure the firewall yourself. For this is the easiest method to use iptables tool.

If you are running a Windows server, you need to configure the appropriate name Windows Firewall, which you can do from the Windows Management Console or by using netsh.


Source link