# what if no firewall?



## Mid (May 4, 2014)

I am new to linux/vps (though I know quite a bit) and familiar with windows desktop. From windows point of view, AFAIAK firewall software would control which processes have access to the internet/sockets etc.

In linux vps, I am the only user (root) of the system and I can only install software (so I would only those needed).

So, why there is any need of firewall in the vps?

What worst could happen if I don't run on the vps?

ps:

I have disabled "password authentication" on sshd_config and use keyfile, this is the only security that I use as of now.

(no php, no mail, no dns on vps, just going to be plain nginx/lighttpd)


----------



## HostSailor (May 4, 2014)

Hi,

Try /etc/hosts.deny and ./etc/hosts.allow too, it might add a bit more to your setup, though those kind of basic security aren't 100% going to protect you from having your VPS attacked or hacked, the firewall is a great tool in controlling what goes out and into your VPS, SSHD isn't the only entrance to your VPS, so some extra security would need to take place.


----------



## Lee (May 4, 2014)

^^ That and it is not a big learn to change the policy of your input chain to drop all other than established connections to add to security.  There is always someone/something sniffing around looking for opportunities, the more effort you deter that kind of traffic early on the more likely they will move on quickly and leave you alone.


----------



## kcaj (May 4, 2014)

How easy is csf to use? I believe it's pretty much commands in a config file IIRC, but it's been years since I used it and I've only ever used it as part of cPanel.


----------



## TruvisT (May 4, 2014)

1e10 said:


> How easy is csf to use? I believe it's pretty much commands in a config file IIRC, but it's been years since I used it and I've only ever used it as part of cPanel.


CSF is very easy to learn and use. However, for advanced commands, you will need to learn IPTables which is good to learn.


----------



## kcaj (May 4, 2014)

TruvisT said:


> CSF is very easy to learn and use. However, for advanced commands, you will need to learn IPTables which is good to learn.


I am just looking for something to keep my VPS safe, nothing magical. Will CSF do?


----------



## tonyg (May 4, 2014)

At your home, your ISP supplied modem/router uses a hardware firewall with NAT that automatically protects (hides your computer) from their systems.

When you set up a vps/dedicated server on a data center, you don't get the benefits of a hardware firewall and automatic NAT and are wide open and susceptible to anyone/anything.

A firewall on a system that is not behind a hardware firewall or NAT is a must.


----------



## TruvisT (May 4, 2014)

1e10 said:


> I am just looking for something to keep my VPS safe, nothing magical. Will CSF do?


Firewalls are more ACL then keeping a system safe. The only way a firewall will technically keep you safe is if you are running a service that you want to control access to. If you run a service that is publicly open then the safety comes down to how secured that service is.


----------



## vps24.net (May 4, 2014)

If You have only one service running You think nothing can happen but...

First of all limit access to the sshd for only IP`s that You are using to access Your vps.

After that read a little bit about iptables and defensing against the dos and ddos attacks. Even one open port can be a good target to kill Your VPS/server.

regs.

vps24.net


----------



## texteditor (May 4, 2014)

Mid said:


> So, why there is any need of firewall in the vps?
> What worst could happen if I don't run on the vps?


You don't _need_ a firewall, assuming everything on your system is configured perfectly and has no unknown/hidden exploits in the wild.

The problem is that most software has hidden bugs in it that could be an attack vector, and people who configure software (me, you) aren't perfect. A firewall is just a way to hedge against human and software error.


----------



## kcaj (May 4, 2014)

I've installed CSF but I don't think it's working. Here are a few lines from /etc/csf/csf.conf


###############################################################################
# SECTION:IPv4 Port Settings
###############################################################################
# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).

# Allow incoming TCP ports
TCP_IN = "22,80"

# Allow outgoing TCP ports
TCP_OUT = "22,25,53,80,3306"

# Allow incoming UDP ports
UDP_IN = "53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list 
UDP_OUT = "53"

But I'm still able to access a web panel on port 9091, so things clearly aren't being blocked.


----------



## tonyg (May 4, 2014)

@1e10

You have hijacked the OPs thread. You should have started a new thread.


----------



## kcaj (May 4, 2014)

tonyg said:


> @1e10
> 
> You have hijacked the OPs thread. You should have started a new thread.


Sorry, I shall open a new thread.


----------



## Mid (May 8, 2014)

texteditor said:


> You don't _need_ a firewall, assuming everything on your system is configured perfectly and has no unknown/hidden exploits in the wild.
> 
> The problem is that most software has hidden bugs in it that could be an attack vector, and people who configure software (me, you) aren't perfect. A firewall is just a way to hedge against human and software error.


Probably you are the only one who told "you don't need a firewall"...

*I asked you people how can my vps be abused* if I run without a firewall? (not kind of dos attack, i.e not talking about an attack targetted on my domain/business) Suppose If I run no unnecessary services, and run only webserver, how come a stranger abuse/use my vps for their purpose (for e.g, sending spams, etc) *provided I have secured sshd*?.

I am *not going to run php or any scripts* on the vps. Suppose, you are a kind of person who would try to use other servers for your benefit, then *what or how could you do with my vps*? Suppose someone sees that *port X is open on my vps, what could (s)he do with it without gaining access to my vps?*

Again, I am not talking about DOS attacks here. Who is going to do DDOS on me unless I become popular and/or I get enimies? *Or, these DOS attacks are common here for fun that I am not aware of?*


----------



## tchen (May 8, 2014)

Almost every software that has an open listen port has had at one time or another a buffer overflow vulnerability. Even things that aren't explicitly running as daemon could be triggered by inetd if you're not careful. The inbound firewall is a second layer of defense against that unknown flip by you late at night or by some installed software. It's a codified form of your statement "I'm not going to run any unnecessary services".


The outbound firewall is more of a containment issue, as certain vectors require bootstrapping payloads. Reaching out to download the payload can be stopped quite effectively if you have strict ip restrictions on outbound firewalls.


P.S. While obfuscation isn't good security by itself, letting me know exactly which ports you have open quickly lets me narrow down the universe of possible exploits to run on you. Even better when your service advertises it's version over the wire.


----------



## datarealm (May 8, 2014)

If I manage to get your server to execute some arbitrary code, that's only the first step in compromising your system. Perhaps I cannot get this to escalate to root privileges straight away, or perhaps its just a PITA to work with.  In all likelihood if I can get your system to execute some code, I can spawn a process to listen on a high port number which will then give me some level of shell access through which I can possibly further look for root level exploits, or at least cause you some serious trouble.

If you even take the most basic step of limiting the open ports to the services you are running (which based on your OP is very few, so that should not be difficult) you have completely taken this option away from me.


----------



## HostNIT (May 20, 2014)

What is no firewall?

Same as Windows, you could get hacked.

Think of it this way, if your Windows P.C was connected to the Internet 24/7 with a static IP address and no firewall, what's the worst that can happen?

The same answer to the above question is true for linux systems.

CSF is probably going to be the easiest firewall and installating it is pretty easy.

Modifying the IPtable rules w/o a control panel would require some extra reading on iptabes, but that's all there is to it, just reading and following instructions.

At the risk of your data I would say it's worth just taking the 20-40 minutes and read and install CSF and some general IPtable rules. (such as adding, removing ports/ips etc..)

Hope that helps.



Mid said:


> I am new to linux/vps (though I know quite a bit) and familiar with windows desktop. From windows point of view, AFAIAK firewall software would control which processes have access to the internet/sockets etc.
> 
> In linux vps, I am the only user (root) of the system and I can only install software (so I would only those needed).
> 
> ...


----------

