what if no firewall?

Mid · May 4, 2014

I am new to linux/vps (though I know quite a bit) and familiar with windows desktop. From windows point of view, AFAIAK firewall software would control which processes have access to the internet/sockets etc.

In linux vps, I am the only user (root) of the system and I can only install software (so I would only those needed).

So, why there is any need of firewall in the vps?

What worst could happen if I don't run on the vps?

ps:

I have disabled "password authentication" on sshd_config and use keyfile, this is the only security that I use as of now.

(no php, no mail, no dns on vps, just going to be plain nginx/lighttpd)

HostSailor · May 4, 2014

Hi,

Try /etc/hosts.deny and ./etc/hosts.allow too, it might add a bit more to your setup, though those kind of basic security aren't 100% going to protect you from having your VPS attacked or hacked, the firewall is a great tool in controlling what goes out and into your VPS, SSHD isn't the only entrance to your VPS, so some extra security would need to take place.

Lee · May 4, 2014

^^ That and it is not a big learn to change the policy of your input chain to drop all other than established connections to add to security. There is always someone/something sniffing around looking for opportunities, the more effort you deter that kind of traffic early on the more likely they will move on quickly and leave you alone.

kcaj · May 4, 2014

How easy is csf to use? I believe it's pretty much commands in a config file IIRC, but it's been years since I used it and I've only ever used it as part of cPanel.

TruvisT · May 4, 2014

1e10 said:
How easy is csf to use? I believe it's pretty much commands in a config file IIRC, but it's been years since I used it and I've only ever used it as part of cPanel.

CSF is very easy to learn and use. However, for advanced commands, you will need to learn IPTables which is good to learn.

kcaj · May 4, 2014

TruvisT said:
CSF is very easy to learn and use. However, for advanced commands, you will need to learn IPTables which is good to learn.

I am just looking for something to keep my VPS safe, nothing magical. Will CSF do?

tonyg · May 4, 2014

At your home, your ISP supplied modem/router uses a hardware firewall with NAT that automatically protects (hides your computer) from their systems.

When you set up a vps/dedicated server on a data center, you don't get the benefits of a hardware firewall and automatic NAT and are wide open and susceptible to anyone/anything.

A firewall on a system that is not behind a hardware firewall or NAT is a must.

TruvisT · May 4, 2014

1e10 said:
I am just looking for something to keep my VPS safe, nothing magical. Will CSF do?

Firewalls are more ACL then keeping a system safe. The only way a firewall will technically keep you safe is if you are running a service that you want to control access to. If you run a service that is publicly open then the safety comes down to how secured that service is.

vps24.net · May 4, 2014

If You have only one service running You think nothing can happen but...

First of all limit access to the sshd for only IP`s that You are using to access Your vps.

After that read a little bit about iptables and defensing against the dos and ddos attacks. Even one open port can be a good target to kill Your VPS/server.

regs.

vps24.net

texteditor · May 4, 2014

Mid said:
So, why there is any need of firewall in the vps?
What worst could happen if I don't run on the vps?

You don't need a firewall, assuming everything on your system is configured perfectly and has no unknown/hidden exploits in the wild.

The problem is that most software has hidden bugs in it that could be an attack vector, and people who configure software (me, you) aren't perfect. A firewall is just a way to hedge against human and software error.

kcaj · May 4, 2014

I've installed CSF but I don't think it's working. Here are a few lines from /etc/csf/csf.conf

###############################################################################
# SECTION:IPv4 Port Settings
###############################################################################
# Lists of ports in the following comma separated lists can be added using a
# colon (e.g. 30000:35000).

# Allow incoming TCP ports
TCP_IN = "22,80"

# Allow outgoing TCP ports
TCP_OUT = "22,25,53,80,3306"

# Allow incoming UDP ports
UDP_IN = "53"

# Allow outgoing UDP ports
# To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = "53"

But I'm still able to access a web panel on port 9091, so things clearly aren't being blocked.

tonyg · May 4, 2014

@1e10

You have hijacked the OPs thread. You should have started a new thread.

kcaj · May 4, 2014

tonyg said:
@1e10

You have hijacked the OPs thread. You should have started a new thread.

Sorry, I shall open a new thread.

Mid · May 8, 2014

texteditor said:
You don't need a firewall, assuming everything on your system is configured perfectly and has no unknown/hidden exploits in the wild.

The problem is that most software has hidden bugs in it that could be an attack vector, and people who configure software (me, you) aren't perfect. A firewall is just a way to hedge against human and software error.

Probably you are the only one who told "you don't need a firewall"...

I asked you people how can my vps be abused if I run without a firewall? (not kind of dos attack, i.e not talking about an attack targetted on my domain/business) Suppose If I run no unnecessary services, and run only webserver, how come a stranger abuse/use my vps for their purpose (for e.g, sending spams, etc) provided I have secured sshd?.

I am not going to run php or any scripts on the vps. Suppose, you are a kind of person who would try to use other servers for your benefit, then what or how could you do with my vps? Suppose someone sees that port X is open on my vps, what could (s)he do with it without gaining access to my vps?

Again, I am not talking about DOS attacks here. Who is going to do DDOS on me unless I become popular and/or I get enimies? Or, these DOS attacks are common here for fun that I am not aware of?

tchen · May 8, 2014

Almost every software that has an open listen port has had at one time or another a buffer overflow vulnerability. Even things that aren't explicitly running as daemon could be triggered by inetd if you're not careful. The inbound firewall is a second layer of defense against that unknown flip by you late at night or by some installed software. It's a codified form of your statement "I'm not going to run any unnecessary services".

The outbound firewall is more of a containment issue, as certain vectors require bootstrapping payloads. Reaching out to download the payload can be stopped quite effectively if you have strict ip restrictions on outbound firewalls.

P.S. While obfuscation isn't good security by itself, letting me know exactly which ports you have open quickly lets me narrow down the universe of possible exploits to run on you. Even better when your service advertises it's version over the wire.

datarealm · May 8, 2014

If I manage to get your server to execute some arbitrary code, that's only the first step in compromising your system. Perhaps I cannot get this to escalate to root privileges straight away, or perhaps its just a PITA to work with. In all likelihood if I can get your system to execute some code, I can spawn a process to listen on a high port number which will then give me some level of shell access through which I can possibly further look for root level exploits, or at least cause you some serious trouble.

If you even take the most basic step of limiting the open ports to the services you are running (which based on your OP is very few, so that should not be difficult) you have completely taken this option away from me.

HostNIT · May 20, 2014

What is no firewall?

Same as Windows, you could get hacked.

Think of it this way, if your Windows P.C was connected to the Internet 24/7 with a static IP address and no firewall, what's the worst that can happen?

The same answer to the above question is true for linux systems.

CSF is probably going to be the easiest firewall and installating it is pretty easy.

Modifying the IPtable rules w/o a control panel would require some extra reading on iptabes, but that's all there is to it, just reading and following instructions.

At the risk of your data I would say it's worth just taking the 20-40 minutes and read and install CSF and some general IPtable rules. (such as adding, removing ports/ips etc..)

Hope that helps.

Mid said:
I am new to linux/vps (though I know quite a bit) and familiar with windows desktop. From windows point of view, AFAIAK firewall software would control which processes have access to the internet/sockets etc.

In linux vps, I am the only user (root) of the system and I can only install software (so I would only those needed).

So, why there is any need of firewall in the vps?

What worst could happen if I don't run on the vps?

ps:

I have disabled "password authentication" on sshd_config and use keyfile, this is the only security that I use as of now.

(no php, no mail, no dns on vps, just going to be plain nginx/lighttpd)

what if no firewall?

Mid

New Member

HostSailor

Member

Lee

Retired Staff

kcaj

New Member

TruvisT

Server Management Specialist

kcaj

New Member

tonyg

New Member

TruvisT

Server Management Specialist

vps24.net

New Member

texteditor

Premium Buffalo-based Hosting

kcaj

New Member

tonyg

New Member

kcaj

New Member

Mid

New Member

tchen

New Member

datarealm

New Member

HostNIT

New Member