Secure my server without impacting my website?

Linode Staff

I would like to secure a server that I have already set up. If I follow your guide on Securing Your Server, will it interfere with the site I've been hosting on that Linode?

1 Reply

Hello,

If you follow that guide, it could interfere with your website as it is written for a new installation, however you can quickly correct this. The main thing to look out for is that when you enable a firewall, you will need to configure the correct rules to allow any services that you have running to get through. You can use iptables to do this. While it is not always the most intuitive way to setup a firewall, it is the most powerful and flexible way to do it, as you can configure rules at a very high level of granularity. For a more intuitive setup, you can use UFW on Debian/Ubuntu based systems, or FirewallD on CentOS systems. Other options exist for other systems, but these are the most common. All of these applications are ultimately just frontends to iptables, but for basic rules are typically much simpler to use.

For a good balance between security and usability, you should set your default policy to deny incoming connection attempts, while allowing outgoing connections to pass through:

Using iptables:

sudo iptables --policy INPUT DROP
sudo iptables --policy OUTPUT ACCEPT



Using UFW:

sudo ufw default allow outgoing
sudo ufw default deny incoming

FirewallD seems to have these settings enabled by default, as the guide does not point out a best practice for the default policy. I can also confirm that the behaviors of a newly installed CentOS system align with this, once FirewallD has been enabled.

To allow your website through your firewall, you will need to configure rules:

Using iptables:

sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

If iptables is also configured to deny outgoing connections (it shouldn't be following my instructions), then you will need to account for this as well:

sudo iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT



Using UFW:

sudo ufw allow 80/tcp



Using FirewallD:

sudo firewall-cmd --zone=public --add-port=80/tcp --permanent

You can repeat any of these commands for any other services you need to add, replacing '80' with whichever port number you are opening, and 'tcp' with the protocol you with to open it for (TCP/UDP). Regardless of which tool you choose to do this with, remember to commit your changes when you finish:

Using iptables:

sudo iptables-save



Using UFW:

sudo ufw reload



Using FirewallD:

sudo firewall-cmd --reload


I recommend reading through the guides I linked above before going through any of this, so that you can make sure you've covered any considerations that need to be taken into account. If you are not sure what services are running on your system, you can use the command:

sudo netstat -plunt

and it will show you all of the services on your system that are actively listening to a port, as well as which port(s) they are listening on.

I hope this helps you get up and running. Just let us know if you have any questions!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct