Local Firewall Management

Hi Guys,

Another quick question – how are local firewall managed? iptables? The web interface?

Are fresh images blocked from the get go?

My concern is having a box spin up that's immediately susceptible to security threats.

11 Replies

The firewall is your responsibility, using iptables.

And my recollection is that the provided images don't run any services by default, hence nothing to attack. sshd might be an exception.

Right, this isn't Windows. I just built a new node to check and I have two things running: ssh and dhcp. Don't worry about not having a firewall. These are recent distributions.

@Vance:

And my recollection is that the provided images don't run any services by default, hence nothing to attack. sshd might be an exception.

Thanks Vance, that's EXACTLY what I wanted to know. :D

-M

I use a mix of apf firewall and tcp wrappers to limit ports and IP addresses allowed to do whatever and what not.

I'm sure that I could really dig deep and setup a whole mess of iptables, but apf makes it easy and wrappers are all ready pretty easy.

You should lock down SSH as soon as you can (disable root logins and password auth, install DenyHosts/fail2ban/etc., move it to a different port, etc.) just to be safe, but there's little chance of your server getting broken into any time soon unless you have a really horrible root password.

@mnordhoff:

You should lock down SSH as soon as you can (disable root logins and password auth, install DenyHosts/fail2ban/etc., move it to a different port, etc.) …

For "etc.", I'd recommend firewalling the SSH port (regardless whether it's the default one or a custom port). Even if your have a dynamic IP you can specify a network range, e.g., 192.168.0.0/24, from which to allow connections, and deny access to the vast majority of the Internet.

@sleddog:

@mnordhoff:

You should lock down SSH as soon as you can (disable root logins and password auth, install DenyHosts/fail2ban/etc., move it to a different port, etc.) …

For "etc.", I'd recommend firewalling the SSH port (regardless whether it's the default one or a custom port). Even if your have a dynamic IP you can specify a network range, e.g., 192.168.0.0/24, from which to allow connections, and deny access to the vast majority of the Internet.

Agreed. Personally, I'm also a fan of using public key authentication instead of standard passwords. Good to know there Lish in case of trouble. =D

@sleddog:

For "etc.", I'd recommend firewalling the SSH port (regardless whether it's the default one or a custom port). Even if your have a dynamic IP you can specify a network range, e.g., 192.168.0.0/24, from which to allow connections, and deny access to the vast majority of the Internet.

Whoops, forgot about that one. Good advice. :)

PermitRootLogin without-password

:) best line in sshd_config there is.

@freedomischaos:

PermitRootLogin without-password

:) best line in sshd_config there is.

Only if you need it. Otherwise, "PermitRootLogin no".

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct