question from a novice. i am about to upgrade from a VPS at liquidweb to a dedicated server at liquidweb for one of my very high traffic websites. my question is on whether or not you think i need to add the firewall. its quite a bit extra per month is why i am asking. also what are the benefits of having one or the risks of going without? i did google and had a tough time coming up with a straight answer. i figured id ask the WF experts.
firewall on dedicated server?
- Thread starter zombiezoo
- Start date
A hardware firewall is never a bad thing, it's just a question of if you really need it and want to spend the extra money. Unless your site is a high-profile target, you can probably get away with just a software firewall, like CSF.
Again, if you have the money to blow, go for it. But, you can always start off with a software firewall and add the hardware in the future if you need it.
Again, if you have the money to blow, go for it. But, you can always start off with a software firewall and add the hardware in the future if you need it.
I'm helping run a couple of sites in alexa 5k and I've had to deal with all sorts of attacks over the years.
I've never ever ever needed anything more than iptables. If you're not familiar with the syntax FireHOL, a Linux iptables packet filtering firewall builder for humans... will make things a lot easier.
I've never ever ever needed anything more than iptables. If you're not familiar with the syntax FireHOL, a Linux iptables packet filtering firewall builder for humans... will make things a lot easier.
Easy tips...
Default all traffic to dropped, then whitelist the services you want to give people access to.
If you want to use a remote MySQL gui app like Navicat, use SecureCRT or Putty to port-forward 3306, then connect to your server using localhost. That way, you don't have to open your MySQL port to the outside world at all. You can use this same concept for any port that only *you* or your partners/employees/colleagues need access to on a remote server.
Also, add some rate-limiting on new SSH and FTP logins by using the per hour and burst flags. Fail2ban might be better, but I had problems getting it working.
Default all traffic to dropped, then whitelist the services you want to give people access to.
If you want to use a remote MySQL gui app like Navicat, use SecureCRT or Putty to port-forward 3306, then connect to your server using localhost. That way, you don't have to open your MySQL port to the outside world at all. You can use this same concept for any port that only *you* or your partners/employees/colleagues need access to on a remote server.
Also, add some rate-limiting on new SSH and FTP logins by using the per hour and burst flags. Fail2ban might be better, but I had problems getting it working.
I agree with supergeek. Two other things i like to do are use non-standard ports for stuff that the public doesn't need. Similarly i use knockd, for opening ports remotely only when i need them.
Hello Greek,
You need to make sure the server and your internal PC are on the same IP and subnet range. even if it means disconnecting from the internet, manually changing the IP address to one which is in its range you need to be on the same range to configure the server.Also where is your NAT enabled? you need to make sure that is correctly configured so that external pc can connect.Is your server set up to be a domain controller or a terminal server? either way make sure you have remote access enabled.To me it sounds like a simple IP config problem. Tell me your IP address, default gateway, and subnet.
You need to make sure the server and your internal PC are on the same IP and subnet range. even if it means disconnecting from the internet, manually changing the IP address to one which is in its range you need to be on the same range to configure the server.Also where is your NAT enabled? you need to make sure that is correctly configured so that external pc can connect.Is your server set up to be a domain controller or a terminal server? either way make sure you have remote access enabled.To me it sounds like a simple IP config problem. Tell me your IP address, default gateway, and subnet.