View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Suggestions on Firewall settings on CENTOS 5.6 64-bit
Log in to Ask a Question

Suggestions on Firewall settings on CENTOS 5.6 64-bit

networking

Hello Everybody,

CentOS 5.6 - 64-bit

Apache web server with My Sql

The web application and My Sql servers are installed on different servers for load sharing and are connected to together and is in the same data center.

Below is the current firewall configuration, would appreciate if you could tell me if these settings are sufficient to ensure my servers are secure.

iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

RH-Firewall-1-INPUT all – anywhere anywhere

Chain FORWARD (policy ACCEPT)

target prot opt source destination

RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)

target prot opt source destination

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere

ACCEPT icmp -- anywhere anywhere icmp any

ACCEPT esp -- anywhere anywhere

ACCEPT ah -- anywhere anywhere

ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns

ACCEPT udp -- anywhere anywhere udp dpt:ipp

ACCEPT tcp -- anywhere anywhere tcp dpt:ipp

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp

ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https

REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Thanks,

Avinash

9 Replies

No, firewalls are not sufficient to ensure a system is secure. If anything is going to get you, it's probably going to be coming in via port 80.

Anyway, from the looks of things, you're allowing Internet Printing Protocol as well as FTP. Both of those are not generally things you'd want to run on a remote server. mDNS is also of limited utility on a public cloud. Those are the three rules I'd probably remove from the RH-Firewall-1-INPUT chain.

CentOS 5.8 has been out since March 2012, I'd worry as much about keeping your security patches up-to-date as well as pruning your IPTABLES.

Yeah, I understand firewall is not the only solution. Would appreciate if you share with me other methods to secure the server. I cannot block Port 80 as it is a web application. Even SSL is configured to work through port 80.

I hope removing FTP, IP and mDNS won't disturb access to the website?

Thanks.

@hoopycat:

No, firewalls are not sufficient to ensure a system is secure. If anything is going to get you, it's probably going to be coming in via port 80.

Anyway, from the looks of things, you're allowing Internet Printing Protocol as well as FTP. Both of those are not generally things you'd want to run on a remote server. mDNS is also of limited utility on a public cloud. Those are the three rules I'd probably remove from the RH-Firewall-1-INPUT chain.

Yes you are right, keeping the OS updated will help.

@vonskippy:

CentOS 5.8 has been out since March 2012, I'd worry as much about keeping your security patches up-to-date as well as pruning your IPTABLES.

mDNS and IPP are not used for web hosting and are mostly "LAN" protocols used within controlled environments. FTP is also not generally used for web hosting, although it is a legacy protocol used for file transfer in many places it shouldn't be.

@Avinash.Rao:

Even SSL is configured to work through port 80.
Wait what? Why would HTTPS be on anything but port 443?

I am sorry that was typo. Please read that as 443.

@mnordhoff:

@Avinash.Rao:

Even SSL is configured to work through port 80.
Wait what? Why would HTTPS be on anything but port 443?

This mean I got to remove the mDNS, IPP and FTP.

Is there anything that I need to do?

Thanks for your time.

@hoopycat:

mDNS and IPP are not used for web hosting and are mostly "LAN" protocols used within controlled environments. FTP is also not generally used for web hosting, although it is a legacy protocol used for file transfer in many places it shouldn't be.

I don't receive email notifications despite subscribing for this thread.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct