Firewall rules for a webserver

Crazyfruitbat

Crazyfruitbat

Well-known member
I've been setting up my firewall rules but it's mainly to block out obvious bad folk that I don't want visiting (like Baidu constantly having 60 spiders crawling throughout the day..anyway).

I'm just wondering what do most people do for protecting a webserver using firewalls? I'm using iptables to config my firewalls. It's just a personal server only used for websites like XenForo so I don't need anything else really.

Any advice?
 
I lock down SSH and other secure access by IP (assuming you have a static ip on your home connection).

But otherwise, everything else I pretty much allow.
 
Slavik said:
I lock down SSH and other secure access by IP (assuming you have a static ip on your home connection).

But otherwise, everything else I pretty much allow.
Click to expand...
I use keys for SSH as locking it down any other way never seems to work.

Crazyfruitbat said:
I've been setting up my firewall rules but it's mainly to block out obvious bad folk that I don't want visiting (like Baidu constantly having 60 spiders crawling throughout the day..anyway).

I'm just wondering what do most people do for protecting a webserver using firewalls? I'm using iptables to config my firewalls. It's just a personal server only used for websites like XenForo so I don't need anything else really.

Any advice?
Click to expand...
There are some other steps that you could take that would give you minimal improvements and TBH are not worth it if you are running a personal server. In this situation so long as you have a firewall and keep your OS updated nothing should go wrong.
 
thanks guys,
Slavik said:
I lock down SSH and other secure access by IP (assuming you have a static ip on your home connection).

But otherwise, everything else I pretty much allow.
Click to expand...
cheers that's useful to know. I tried to lock down SSH with keys too and locked myself out more that one occassion, so I'm investigating why that isn't working for me. So for now I do it through iptables but for my area as my ip address does change (locking me out of various services too)

I also found a DoS attack iptable thing which I added in too - it's amazing that a general rule for this type of stuff doesn't exisit.

so far I have this simple list:
Code: 
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
DROP      all  --  180.76.0.0/16        anywhere         
ACCEPT    tcp  --  180.11.85.0/24      anywhere            tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:www limit: avg 25/min burst 100
 
Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       
 
Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
ACCEPT    tcp  --  anywhere            anywhere            tcp spt:ssh state ESTABLISHED


BTW did you guys get fail2ban to work?
 
You must log in or register to reply here.

Similar threads

⭐ Alex ⭐
Why exactly do we need a cookie notice for third party cookies?
Replies
1
Views
530
⭐ Alex ⭐
⭐ Alex ⭐
digitalpoint
Cloudflare optimizations for XenForo
7 8 9
Replies
175
Views
17K
digitalpoint
digitalpoint
AzzidReign
Ultimate DDoS Solution! Nice on the budget too!
2 3 4
Replies
75
Views
16K
eva2000
eva2000
DRE
KnownHost Server Configuration?
8 9 10
Replies
183
Views
21K
craigiri
craigiri
Top Bottom