After transferring data. I will close all PORTs.
That usually makes no sense, since afterwards you can do more or less nothing with your server.
Hi I configure like this can be called safe yet?
Nobody can tell you, since the rules are in special chains, and nobody knows, when they are called and what happens in the default chains. And I have no idea, what this firewall daemon does. Typically, such frameworks create a set of complex rules and chains that no one can understand.
Hi I configure like this can be called safe yet?
Nobody can tell you, since the rules are in special chains, and nobody knows, when they are called and what happens in the default chains. And I have no idea, what this firewall daemon does. Typically, such frameworks create a set of complex rules and chains that no one can understand.
185596 : The only way to know whether your setup is correct is to read about the framework you're relying on and to test your host from the outside (e.g. your computer at home) using a tool like Nmap.
Also please note that it's not enough to only open those ports you need to run services (like a web server). Rather, the services in question mustn't come with vulnerabilities that can be exploited (either by upgrading them automatically/manually or by securing them by other means, e.g., the use of containers). In order to check/monitor this, vulnerability scanners are required.
Last but not least, with respect to the use of CentOS (if this is what you prefer(red)), you should have a look at CentOS Stream ahead of CentOS 7 EOL.
And I have no idea, what this firewall daemon does. Typically, such frameworks create a set of complex rules and chains that no one can understand.
1)
Firewalld by itself is not a bad thing. It is commonly used in enterprise distributions like Red Hat and SUSE, and I generally recommend it over manual configuration of iptables/nftables for unexperienced people on other distributions.
Issues arise if the administrator is not familiar with what the tool is doing, and combines it with other, possibly conflicting solutions.
In this case apparently a random, old script, was run to inject iptables rules, after which firewalld was installed. The poster then masked the iptables service (which I am not sure is of any use, since iptables works using a kernel module, which is required as a backend for firewalld), apparently in the attempt to have only firewalld manage firewall rules - I do not know the CentOS distribution and could not find any documentation for it - and hence am unable to tell what impact this has.
2)
To the original poster - the firewalld ruleset you installed looks fine, however, it seems you previously installed manual iptables rules, which may or may not conflict. Hence - albeit me favoring the use of firewalld - I recommend you to inspect and understand the iptables rulesets which firewalld places for you, instead of blindly trusting them.
3)
Testing the server from outside for open ports, as suggested by m_ueberall, is a good idea. But again, I recommend to read up on and understand the process, instead of blindly trusting an empty `nmap` result.
4)
Open ports are not the only issue. You mentioned the script you run at the beginning installed some sort of banning system to block IP addresses frequently trying to access your system. I assume this system is fail2ban - in which case, now that you switched to firewalld, you may need to manually reconfigure fail2ban to utilize firewalld as its banning backend!
5)
Keep your system patched. Use key-based SSH authentication. Read up on Linux hardening and auditing. Install a monitoring application to inform you of suspicious login and network activity, but do not enable a mail transfer agent to send you notification emails before understanding what an "open relay" is.
6)
I share the concerns of the other commenters, and my tone may sound I am on their side. However, whilst the previous information given to you is absolutely justified, I want to emphasize that I do very much congratulate you for joining the journey of self-hosting GNU/Linux based services on the internet. I want you to feel welcome with the freedom of self-hosting. Whilst possibly overwhelming at first, it will open many doors, and allow you to enjoy and learn aspects of system administration otherwise hidden from you if you were just buying into a "ready made thing". As already pointed out by others however, it would have been wise to first evaluate your setup in a local virtual machine. Most computers nowadays are powerful enough to run at least a small Linux based virtual machine - allowing you to test things in a local, isolated, network, before releasing them onto the world wide web. Even though you now already have a Netcup VM on the internet, you may still want to look into setting up a local one (or multiple!) for testing configurations and playing around with things.
People here are not only concerned about the effect your actions on public servers have for yourself (for example with abuse reports sent to you), but also about the effects your actions have on other users of the same infrastructure. For example, a hosting provider like Netcup, may decide to block common ports if they feel too many users host servers prone to exploitation and abuse.
Thanks Pro
- Due to a misunderstanding, I installed the Firewalld feature (even though it has iptables) ... to my knowledge, is there any conflict between the 2 features?
No, in fact, you need to keep iptables if you want to use firewalld. Firewalld is a wrapper for iptables/nftables. It basically generates iptables rules for you, making it easier to administrate the firewall. My concern was mostly because you installed manual iptables rules before moving to firewalld - I am not sure if an installation of firewalld will overwrite them automatically, but I assume it does.
I tested it by manually login ssh wrong. The fail2ban system will block immediately
Good!
pasted-from-clipboard.png
That link unfortunately does not work.
