Firewall pros and cons
In an attempt to protect their server, people often come to us with the question, "How can I put a firewall on a server with Flussonic, or with Watcher?"
To do this, the first thing to remember is that there are 2 directions of protection:
- With a restriction on incoming connections;
- With a restriction on outgoing connections.
Putting a restriction on outgoing connections makes no sense, since there is nothing on the server except Flussonic, so it is perfectly safe. However, it can break down, so it is necessary for each server with Flussonic to have a spare mechanism+process, which will deal with the restoration of information. For example: ansible with server configs.
Therefore, it makes sense to install firewall only with limitation on incoming connections, i.e. to protect from illegal intrusion on the server to private information. In today's reality, if a person gets illegal access to the server, it means that the server is compromised. After all, it's almost impossible to protect the server while it's inside.
Is it worth installing a firewall at all?
- A firewall increases the load on the server. In most cases, it has no effect on the process itself, but in some cases it may play an important role.
- The firewall is an unnecessary part of the server, which needs to be maintained and maintained without forgetting about it.
If you do decide to install a firewall, you need to break up all other programs on other servers so that nothing but Flussonic is on server. In this case, there will be 3 ports open on the server:
- Port 80;
- Port 443;
- Port 22.
HTTP ports 80 and 443 for Flussonic, on 22 ssh. Attacks on the server on our ports can hit either, than port 80 or port 443, which is listening to Flussonic. In this case, the attacks would be Application-level, i.e., various requests, calls. Flussonic has no problems with this kind of attacks.
The SSH-port is brute-forcing passwords, so it is possible to illegally enter the server through this port. The most reliable way to solve this problem is to remove this port from the public address. If the server has more than one interface, you can attach it to the IP address of the internal interface. After that the access from outside will be closed. This will eliminate one important problem — people will stop trying to connect to it via the Internet.
If this solution does not work for you, there is an alternative method: remove sshd from the public interface.
It is also possible to close the list of IP addresses from which the connection is accepted with firewall.