Firewalls
The Internet is a dangerous place, by being out in the open, your server is exposed to major threats. Threats exploit vectors of entry, which could be exposed services that run or listen to certain ports.
Thus, the right thing to do is to build a firewall to block these ports from outside access, and allow others with reservations.
Each server should not allow any traffic beyond the certain range of ports that it is allowed to use. This protects each server from the internet, and each other.
http://serverfault.com/questions/201298/why-should-i-firewall-servers
FirewallD[edit]
Install and enable FirewallD at boot:
sudo yum install firewalld sudo systemctl start firewalld sudo systemctl enable firewalld
We will use the public
zone as our foremost and only zone, since we are using a server with only one network interface, eth0
, and we are firewalling against the whole internet.
The first step is to enable the SSH service, since you probably want to retain the ability to connect remotely.
sudo firewall-cmd --permanent --zone=public --add-service=ssh
If you want to enable the HTTP and HTTPS service, add these services as well.
sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=https
Finally, when you are sure that the ssh
service is still enabled on the public
zone, reload the rules and enable the zone. If it worked, you will still be able to connect via SSH, and can now access HTTP and HTTPS servers externally. All other ports/services will be blocked to the world (for now).
sudo firewall-cmd --reload sudo firewall-cmd --zone=public --change-interface=eth0
You can now set up other services with the firewall in a similar way. Make sure to reload the rules right to commit your changes.
sudo firewall-cmd --reload
ufw[edit]
A CLI interface to iptables that is utterly uncomplicated. Great for Debian/Ubuntu home servers.
iptables[edit]
There's good ol' iptables for advanced configuration, but I don't really deal with it, so look elsewhere.