Secure my server without impacting my website?
I would like to secure a server that I have already set up. If I follow your guide on Securing Your Server, will it interfere with the site I've been hosting on that Linode?
1 Reply
Hello,
If you follow that guide, it could interfere with your website as it is written for a new installation, however you can quickly correct this. The main thing to look out for is that when you enable a firewall, you will need to configure the correct rules to allow any services that you have running to get through. You can use iptables to do this. While it is not always the most intuitive way to setup a firewall, it is the most powerful and flexible way to do it, as you can configure rules at a very high level of granularity. For a more intuitive setup, you can use UFW on Debian/Ubuntu based systems, or FirewallD on CentOS systems. Other options exist for other systems, but these are the most common. All of these applications are ultimately just frontends to iptables, but for basic rules are typically much simpler to use.
For a good balance between security and usability, you should set your default policy to deny incoming connection attempts, while allowing outgoing connections to pass through:
Using iptables:
sudo iptables --policy INPUT DROP sudo iptables --policy OUTPUT ACCEPT
Using UFW:sudo ufw default allow outgoing sudo ufw default deny incoming
FirewallD seems to have these settings enabled by default, as the guide does not point out a best practice for the default policy. I can also confirm that the behaviors of a newly installed CentOS system align with this, once FirewallD has been enabled.
To allow your website through your firewall, you will need to configure rules:
Using iptables:
sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
If iptables is also configured to deny outgoing connections (it shouldn't be following my instructions), then you will need to account for this as well:
sudo iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
Using UFW:sudo ufw allow 80/tcp
Using FirewallD:sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
You can repeat any of these commands for any other services you need to add, replacing '80' with whichever port number you are opening, and 'tcp' with the protocol you with to open it for (TCP/UDP). Regardless of which tool you choose to do this with, remember to commit your changes when you finish:
Using iptables:
sudo iptables-save
Using UFW:sudo ufw reload
Using FirewallD:sudo firewall-cmd --reload
I recommend reading through the guides I linked above before going through any of this, so that you can make sure you've covered any considerations that need to be taken into account. If you are not sure what services are running on your system, you can use the command:
sudo netstat -plunt
and it will show you all of the services on your system that are actively listening to a port, as well as which port(s) they are listening on.
I hope this helps you get up and running. Just let us know if you have any questions!