• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Firewall rules for a webserver

Crazyfruitbat

Well-known member
#1
I've been setting up my firewall rules but it's mainly to block out obvious bad folk that I don't want visiting (like Baidu constantly having 60 spiders crawling throughout the day..anyway).

I'm just wondering what do most people do for protecting a webserver using firewalls? I'm using iptables to config my firewalls. It's just a personal server only used for websites like XenForo so I don't need anything else really.

Any advice?
 

Slavik

XenForo moderator
Staff member
#2
I lock down SSH and other secure access by IP (assuming you have a static ip on your home connection).

But otherwise, everything else I pretty much allow.
 

a legacy reborn

Well-known member
#3
I lock down SSH and other secure access by IP (assuming you have a static ip on your home connection).

But otherwise, everything else I pretty much allow.
I use keys for SSH as locking it down any other way never seems to work.

I've been setting up my firewall rules but it's mainly to block out obvious bad folk that I don't want visiting (like Baidu constantly having 60 spiders crawling throughout the day..anyway).

I'm just wondering what do most people do for protecting a webserver using firewalls? I'm using iptables to config my firewalls. It's just a personal server only used for websites like XenForo so I don't need anything else really.

Any advice?
There are some other steps that you could take that would give you minimal improvements and TBH are not worth it if you are running a personal server. In this situation so long as you have a firewall and keep your OS updated nothing should go wrong.
 

Crazyfruitbat

Well-known member
#4
thanks guys,
I lock down SSH and other secure access by IP (assuming you have a static ip on your home connection).

But otherwise, everything else I pretty much allow.
cheers that's useful to know. I tried to lock down SSH with keys too and locked myself out more that one occassion, so I'm investigating why that isn't working for me. So for now I do it through iptables but for my area as my ip address does change (locking me out of various services too)

I also found a DoS attack iptable thing which I added in too - it's amazing that a general rule for this type of stuff doesn't exisit.

so far I have this simple list:
Code:
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
DROP      all  --  180.76.0.0/16        anywhere         
ACCEPT    tcp  --  180.11.85.0/24      anywhere            tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:www limit: avg 25/min burst 100
 
Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       
 
Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
ACCEPT    tcp  --  anywhere            anywhere            tcp spt:ssh state ESTABLISHED

BTW did you guys get fail2ban to work?