Hello Everybody,

CentOS 5.6 - 64-bit
Apache web server with My Sql

The web application and My Sql servers are installed on different servers for load sharing and are connected to together and is in the same data center.

Below is the current firewall configuration, would appreciate if you could tell me if these settings are sufficient to ensure my servers are secure.

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


Thanks,
Avinash

No, firewalls are not sufficient to ensure a system is secure. If anything is going to get you, it's probably going to be coming in via port 80.

Anyway, from the looks of things, you're allowing Internet Printing Protocol as well as FTP. Both of those are not generally things you'd want to run on a remote server. mDNS is also of limited utility on a public cloud. Those are the three rules I'd probably remove from the RH-Firewall-1-INPUT chain.

_________________

/* TODO: need to add signature to posts */

CentOS 5.8 has been out since March 2012, I'd worry as much about keeping your security patches up-to-date as well as pruning your IPTABLES.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

Yeah, I understand firewall is not the only solution. Would appreciate if you share with me other methods to secure the server. I cannot block Port 80 as it is a web application. Even SSL is configured to work through port 80.

I hope removing FTP, IP and mDNS won't disturb access to the website?


Thanks.

Yes you are right, keeping the OS updated will help.

mDNS and IPP are not used for web hosting and are mostly "LAN" protocols used within controlled environments. FTP is also not generally used for web hosting, although it is a legacy protocol used for file transfer in many places it shouldn't be.

_________________

/* TODO: need to add signature to posts */

Wait what? Why would HTTPS be on anything but port 443?

_________________
Matt Nordhoff (aka Peng on IRC)

I am sorry that was typo. Please read that as 443.

This mean I got to remove the mDNS, IPP and FTP.

Is there anything that I need to do?

Thanks for your time.

I don't receive email notifications despite subscribing for this thread.