Very important aspect of your web server security : the firewall. Most of web servers are using iptables to control what is going in and out. And it’s pretty easy to use.
Here is my basic configuration (you can also find it on Github) :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
#!/bin/sh # Empty all rules sudo iptables -t filter -F sudo iptables -t filter -X # Bloc everything by default sudo iptables -t filter -P INPUT DROP sudo iptables -t filter -P FORWARD DROP sudo iptables -t filter -P OUTPUT DROP # Authorize already established connexions sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -t filter -A INPUT -i lo -j ACCEPT sudo iptables -t filter -A OUTPUT -o lo -j ACCEPT # ICMP (Ping) sudo iptables -t filter -A INPUT -p icmp -j ACCEPT sudo iptables -t filter -A OUTPUT -p icmp -j ACCEPT # SSH sudo iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT # DNS sudo iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT sudo iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT sudo iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT sudo iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT # HTTP sudo iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT sudo iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT #HTTPS sudo iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT sudo iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT # FTP sudo iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT sudo iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT # Git sudo iptables -t filter -A OUTPUT -p tcp --dport 9418 -j ACCEPT sudo iptables -t filter -A INPUT -p tcp --dport 9418 -j ACCEPT # Mail SMTP iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT # Mail POP3 iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT # Mail IMAP iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT # NTP (server time) sudo iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT |