Is Firewall configration through ISPConfig3 sufficient?

Discussion in 'Installation/Configuration' started by Nap, Jul 24, 2014.

  1. Nap

    Nap Member

    [Ubuntu 14.04LTS using the The Perfect Server - Ubuntu 14.04 (Apache2, PHP, MySQL, PureFTPD, BIND, Dovecot, ISPConfig 3) guide]

    I have setup the ports in ISPConfig 3.0.5.4p1 and see the settings reflected in iptables -L. But when I followed the 10.04 Perfect guide, I included a number of other rules in the iptables.firewall.rules file, which specified logging parameters.

    1) Is it necessary to have these additional rules setup to have good visibility of events for managing the security of the server (there are some LOG related entries when I run 'iptables -L')?

    2) Are IP6 firewall settings also configured through ISPConfig?

    3) my.cnf, (on page 4 of the guide) suggests to comment out the "bind-address = 127.0.0.1" line. Since port 3306 is not being blocked by default, the MySQL server is open to the internet.
    (a) is this a good idea?
    (b) in the Ubuntu 10.04 LTS guide, the 'bind-address' was not commented out, and I had port 3306 closed to the internet.

    4) Any other comments on setting up the firewall?

    Cheers,
    Nap

    Here is my list of rules from back then:
    Code:
    *filter
    
    #  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
    -A INPUT -i lo -j ACCEPT
    -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
    
    #  Accept all established inbound connections
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #  Allow all outbound traffic - you can modify this to only allow certain traffic
    -A OUTPUT -j ACCEPT
    
    #  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
    -A INPUT -p tcp --dport 21 -j ACCEPT
    -A INPUT -p tcp --dport 25 -j ACCEPT
    -A INPUT -p tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp --dport 110 -j ACCEPT
    -A INPUT -p tcp --dport 443 -j ACCEPT
    
    #  Allow SSH connections
    #
    #  The -dport number should be the same port number you set in sshd_config
    #
    -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
    
    #  Allow ping
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    
    #  Log iptables denied calls
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    
    #  Reject all other inbound - default deny unless explicitly allowed policy
    -A INPUT -j REJECT
    -A FORWARD -j REJECT
    
    COMMIT
     
    Last edited: Jul 24, 2014
  2. srijan

    srijan New Member HowtoForge Supporter

    Refer thread

    We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1.

    Even in the perfect server guide Ubuntu10.04 we had made the the settings to listen on the internet.

    And for blocking IPs/port you can use Fail2ban.
     
  3. Nap

    Nap Member

    Thnx Srijan for the IPv6 link.

    WRT (3) I actually followed a combination of the Perfect Guide and a guide my VPS hoster provided. On my server I have no need for external access to my database, therefore I've blocked 3306 in my firewall. All my applications work fine.

    Cheers,
    Nap
     

Share This Page