Basic Server Security: Firewalls
One of the first layers of defence against attackers and unauthorized access to your server is a firewall. A firewall analyzes the network traffic on your server and makes decisions as to which traffic should be allowed to pass or which traffic should be stopped.
How Do Firewalls Work?
The firewall’s decisions are normally driven by information about the network connection itself, rather than the contents of the data being sent. Factors may include which network device the traffic is going over (if you have more than one in your computer/server), the IP address of the computer sending or receiving the data, and the transport protocol and port of the computer sending or receiving the data.
While most of these are self explanatory, protocols and ports are often confusing for people. Protocols are defined standards by which two computers will arrange data to be transmitted into packets, and send them to each other so that both will understand and be able to read the sent data. The most commonly used protocols are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). Ports are simply numbers used by the operating system’s network software to identify which piece of software should be given any data received over the network. When a piece of software that wants to communicate over the network runs, it will request to use a port number from the network software, then any received data will then be given to that software.
Standard Ports and Protocols
Some software uses pre-defined standard ports and protocols. This makes communications a lot easier as users don’t then need to worry about these details. For example, web servers will normally listen on TCP port 80 for incoming HTTP traffic. They will also use TCP port 443 for HTTPS traffic. This behavior is normally used by server software that is left running continuously. Client software such as your web browser on your computer will use a random port for each connection it makes.
Firewalls can generally be configured with a number of rules where the traffic is matched to the options given above, and is then told what to do with that match, namely whether to allow the traffic to pass or to block it. Using these rules we can then restrict who is able to communicate with the various network enabled pieces of software on our servers.
General Configuration Guidelines
For server firewall configurations we normally recommend using the following guidelines:
- Set the default rule or policy for inbound traffic to block all incoming traffic.
- Set individual firewall rules for the services you want to allow access to from the internet along with returning traffic for established outbound connections.
For example, with a web server you’d allow access to TCP ports 80 and 443. You should avoid opening up access any further than is absolutely required, as this reduces the number of different attacks that someone can make towards your server. We especially advise that where possible management software such as SSH for Linux and RDP for Windows servers is only opened to access from specific IPs rather than from the world as these are some of the most attacked pieces of software. If you really must open these services up then we recommend using tools such as Denyhosts on Linux or similar on Windows to prevent successful brute force attacking attempts.
In addition to the manual firewall configuration that would need to be carried out on the setup of a new server, there are also tools such as Fail2Ban that are capable of automatically adding firewall rules in order to perform additional blocks on IP addresses that appear to be performing attacks on your server. These tools can help ensure that the services that you do need to leave open to the internet are secured.
In terms of securing a server, ensuring that attackers are unable to communicate with the server is the best method to stay safe. Short of disconnecting your server from the internet, a thorough firewall policy is the best way to achieve security.