| Linode Forum https://forum.linode.com/ |
|
| Suggestions on Firewall settings on CENTOS 5.6 64-bit https://forum.linode.com/viewtopic.php?f=19&t=9051 |
Page 1 of 1 |
| Author: | Avinash.Rao [ Sun Jun 24, 2012 9:37 am ] |
| Post subject: | Suggestions on Firewall settings on CENTOS 5.6 64-bit |
Hello Everybody, CentOS 5.6 - 64-bit Apache web server with My Sql The web application and My Sql servers are installed on different servers for load sharing and are connected to together and is in the same data center. Below is the current firewall configuration, would appreciate if you could tell me if these settings are sufficient to ensure my servers are secure. # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Thanks, Avinash |
|
| Author: | hoopycat [ Sun Jun 24, 2012 10:57 am ] |
| Post subject: | Re: Suggestions on Firewall settings on CENTOS 5.6 64-bit |
No, firewalls are not sufficient to ensure a system is secure. If anything is going to get you, it's probably going to be coming in via port 80. Anyway, from the looks of things, you're allowing Internet Printing Protocol as well as FTP. Both of those are not generally things you'd want to run on a remote server. mDNS is also of limited utility on a public cloud. Those are the three rules I'd probably remove from the RH-Firewall-1-INPUT chain. |
|
| Author: | vonskippy [ Sun Jun 24, 2012 3:20 pm ] |
| Post subject: | Re: Suggestions on Firewall settings on CENTOS 5.6 64-bit |
CentOS 5.8 has been out since March 2012, I'd worry as much about keeping your security patches up-to-date as well as pruning your IPTABLES. |
|
| Author: | Avinash.Rao [ Tue Jun 26, 2012 10:17 am ] |
| Post subject: | Re: Suggestions on Firewall settings on CENTOS 5.6 64-bit |
Yeah, I understand firewall is not the only solution. Would appreciate if you share with me other methods to secure the server. I cannot block Port 80 as it is a web application. Even SSL is configured to work through port 80. I hope removing FTP, IP and mDNS won't disturb access to the website? Thanks. hoopycat wrote: No, firewalls are not sufficient to ensure a system is secure. If anything is going to get you, it's probably going to be coming in via port 80.
Anyway, from the looks of things, you're allowing Internet Printing Protocol as well as FTP. Both of those are not generally things you'd want to run on a remote server. mDNS is also of limited utility on a public cloud. Those are the three rules I'd probably remove from the RH-Firewall-1-INPUT chain. |
|
| Author: | Avinash.Rao [ Tue Jun 26, 2012 10:18 am ] |
| Post subject: | Re: Suggestions on Firewall settings on CENTOS 5.6 64-bit |
Yes you are right, keeping the OS updated will help. vonskippy wrote: CentOS 5.8 has been out since March 2012, I'd worry as much about keeping your security patches up-to-date as well as pruning your IPTABLES.
|
|
| Author: | hoopycat [ Tue Jun 26, 2012 6:21 pm ] |
| Post subject: | Re: Suggestions on Firewall settings on CENTOS 5.6 64-bit |
mDNS and IPP are not used for web hosting and are mostly "LAN" protocols used within controlled environments. FTP is also not generally used for web hosting, although it is a legacy protocol used for file transfer in many places it shouldn't be. |
|
| Author: | mnordhoff [ Thu Jun 28, 2012 8:55 am ] |
| Post subject: | Re: Suggestions on Firewall settings on CENTOS 5.6 64-bit |
Avinash.Rao wrote: Even SSL is configured to work through port 80. Wait what? Why would HTTPS be on anything but port 443? |
|
| Author: | Avinash.Rao [ Sat Jun 30, 2012 8:48 am ] |
| Post subject: | Re: Suggestions on Firewall settings on CENTOS 5.6 64-bit |
I am sorry that was typo. Please read that as 443. mnordhoff wrote: Avinash.Rao wrote: Even SSL is configured to work through port 80. Wait what? Why would HTTPS be on anything but port 443? |
|
| Author: | Avinash.Rao [ Sat Jun 30, 2012 8:50 am ] |
| Post subject: | Re: Suggestions on Firewall settings on CENTOS 5.6 64-bit |
This mean I got to remove the mDNS, IPP and FTP. Is there anything that I need to do? Thanks for your time. hoopycat wrote: mDNS and IPP are not used for web hosting and are mostly "LAN" protocols used within controlled environments. FTP is also not generally used for web hosting, although it is a legacy protocol used for file transfer in many places it shouldn't be.
|
|
| Author: | Avinash.Rao [ Sat Jun 30, 2012 8:51 am ] |
| Post subject: | Re: Suggestions on Firewall settings on CENTOS 5.6 64-bit |
I don't receive email notifications despite subscribing for this thread. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|