1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Firewall rules for a webserver

Discussion in 'Server Configuration and Hosting' started by Crazyfruitbat, Nov 15, 2011.

  1. Crazyfruitbat

    Crazyfruitbat Well-Known Member

    I've been setting up my firewall rules but it's mainly to block out obvious bad folk that I don't want visiting (like Baidu constantly having 60 spiders crawling throughout the day..anyway).

    I'm just wondering what do most people do for protecting a webserver using firewalls? I'm using iptables to config my firewalls. It's just a personal server only used for websites like XenForo so I don't need anything else really.

    Any advice?
  2. Slavik

    Slavik XenForo Moderator Staff Member

    I lock down SSH and other secure access by IP (assuming you have a static ip on your home connection).

    But otherwise, everything else I pretty much allow.
  3. a legacy reborn

    a legacy reborn Well-Known Member

    I use keys for SSH as locking it down any other way never seems to work.

    There are some other steps that you could take that would give you minimal improvements and TBH are not worth it if you are running a personal server. In this situation so long as you have a firewall and keep your OS updated nothing should go wrong.
  4. Crazyfruitbat

    Crazyfruitbat Well-Known Member

    thanks guys,
    cheers that's useful to know. I tried to lock down SSH with keys too and locked myself out more that one occassion, so I'm investigating why that isn't working for me. So for now I do it through iptables but for my area as my ip address does change (locking me out of various services too)

    I also found a DoS attack iptable thing which I added in too - it's amazing that a general rule for this type of stuff doesn't exisit.

    so far I have this simple list:
    Chain INPUT (policy ACCEPT)
    target    prot opt source              destination       
    DROP      all  --        anywhere         
    ACCEPT    tcp  --      anywhere            tcp dpt:ssh state NEW,ESTABLISHED
    ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:www limit: avg 25/min burst 100
    Chain FORWARD (policy ACCEPT)
    target    prot opt source              destination       
    Chain OUTPUT (policy ACCEPT)
    target    prot opt source              destination       
    ACCEPT    tcp  --  anywhere            anywhere            tcp spt:ssh state ESTABLISHED 

    BTW did you guys get fail2ban to work?

Share This Page