Fred Stluka via plug on 24 Mar 2021 14:01:04 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Web Ass Pfirewall

+1 for "block everything and only allow what needs to get in."

That's really easy to do on an AWS server.  The AWS Web console
allows you to add/remove IP addresses on the fly.  So, you can
set it up initially to allow SSH only from the work and home
addresses of your team, but can easily add an additional IP
address temporarily when any of you need it.  Without needing
a way to get in to the server to update its iptables rules.

It also makes sense to block all access to your DB server except
from your web server, and various other combinations.

IPSET sounds useful.  One more thing to add to my bag of tricks.

AWS "security groups" provide some of the features of IPSET.
For example, you once you've defined named groups of servers
like "WebServers" and "DbServers", you can grant access from all
WebServers to port 3306 (MySQL/MariaDB) or 5432 (PostgreSQL)
on all DbServers, without having to list the IP addresses.

Fred Stluka -- -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.

On 3/17/21 11:19 PM, Robert via plug wrote:
To be honest, why are you leaving a dev server open on the internet? I also have a vps but I don't need anyone accessing it and if I did I would add their IP Address to the firewall to allow it. Simple solution is to block everything and only allow what needs to get in.

I use IPTABLES with IPSET for this.  If I need to add anyone I just add them to IPSET no need to change/add/remove rules from the firewall.  Presently the only IP's allowed are works public IP and my home IP.

On 17/03/2021 16:29, Ron Mansolino via plug wrote:
I have a vps that I don't do too much with, essentially a dev server.

Because it sits out on the net it logs an unwieldy number of intrusion attempts and nosey infogathering requests.

I've been manually filtering these with iptables, but that isn't scaling well (and it's impossible to block cloud services that continually allocate new netblocks). I'd like to block all of AWS, GCP, etc, but it's like playing whack-a-mole. I could use some suggestions for a WAF that I won't eventually have to pay for.

also, did the posting rules change here? I don't check here often, and things aren't working as I expect them to.

Philadelphia Linux Users Group         --
Announcements - General Discussion  --

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --