So before we start with the steps involved to configure firewall in Linux, first let’s make sure we understand what a firewall is and how it works.

Understanding what a firewall is and how it works:

A firewall is a program that surrounds the interface between a private network and the rest of the big and (usually) bad internet. You can think of the firewall as a gateway. It follows pre-configured rules that allow certain traffic to pass through from the internet to the private network and blocks those that are unwanted and potentially harmful.

Why do I need to configure firewall for my Linux machine? Isn’t it the safer than most other server OSs?

If you have a Linux machine, you are guaranteed a certain level of security by default, courtesy the amazing Linux developer community. Linux systems are generally immune to a majority of viruses and other threats that many other operating systems succumb to. But with the increase in the volume, variety and intensity of cyber threats today, configuring a Linux firewall is quite a necessity.

A step-by-step guide on how to configure firewall in Linux:

Step 1: Beef-up basic Linux security:

While this blog is titled to address firewall configuration, the first step is to ensure that the firewall has all the support it needs with a 100% secure Linux machine. To do this, ensure you have all the latest security updates installed for your version of Linux.

Step 2: Decide how you want to protect your server:

While Iptables is generally where the linux community looks to configure a firewall, there are easier options available that are also free for use. Here are some that we would recommend:

1.ClearOS:

-ClearOS is extremely easy-to-use. It is suitable those who prefer an easy-to-follow UI AND also for geeks who would like to talk to it through the command-line interface

Post a 10-minute installation time, you are asked to reboot and are given all the information and support required to manage your firewall as easily as possible

2.OPNsense:

-OPNsense offers several advanced features not usually found in free firewalls like ‘forward caching proxy’ and ‘intrusion detection’.

-It supports the use of OpenVPN. To know how useful OpenVPN is, read more here

-It uses an Inline Intrusion Prevention System which is a powerful form of Deep Packet Inspection. Here, instead of just blocking an IP address or port, the firewall inspects individual data packets or connections and stops them before they reach the sender if found malicious

3.ConfigServer Firewall (CSF):

-CSF is an advanced firewall suite for Linux systems has the Login Failure Daemon (LFD) process that regularly scans for failed login attempts (or “Brute-force attacks”) on your Server and takes action against the offending IP Addresses very quickly

-CSF can be managed through the Command Line Interface and its front-end is accessible by the root account through cPanel, DirectAdmin and Webmin which makes configuring and managing the firewall very simple

IPTABLES:

Understand Iptables and how it works:

The Linux kernel has the capacity to filter incoming and outgoing packages with a filtering tool known as ‘Iptables’. The Iptables tool is in charge of deciding which packages can come in and go out based on the rules it is configured to follow.

First, how to configure the firewall manually:

Working with iptables manually can be complicated. We have a quick fix at the bottom of our section you can try. Read on for more.

Step 1: Retrieve the Iptables firewall:

Iptables is pre-installed on almost every Linux distribution. You can use this command to retrieve the package:

sudo apt-get install iptables

Step 2: Discover what Iptables is already configured to do by default:

Run the iptable L command

Step 3: You can decide to modify the existing rules or instead start afresh:

To start afresh, run this command

iptables-F

Step 4: Decide which firewall ports to close:

First block all lines of attack by running the following commands:

Block XMAS Packets: iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

Block null packets: iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP

Block syn-flood packets: iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

Step 5: Decide which firewall ports to leave open:

Here are some ports you could decide to leave open:

For outgoing connections:

  • 80/tcp for HTTP
  • 53/udp for DNS
  • 443/tcp for HTTPS (secured HTTP)
  • 21/tcp for FTP (File Transfer Protocol)
  • 465/tcp for SMTP (send emails)
  • 25/tcp for Insecure SMTP
  • 22/tcp for SSH (secure connection from computer to computer)
  • 993/tcp&udp for IMAP (receive emails)
  • 143/tcp&udp for Insecure IMAP
  • 9418/tcp for GIT (version control system)

For Incoming connections:

  • 993/tcp&udp for IMAP (receive emails)
  • 143/tcp&udp for Insecure IMAP
  • 110/tcp for POP3 (old way to receive emails)
  • 22/tcp for SSH (secure connection from computer to computer)
  • 9418/tcp for GIT (version control system)

Step 6: Save your firewall configuration

Type the following command to save the settings you’ve configured and restart your firewall:

iptables -L -n

iptables-save | sudo tee /etc/sysconfig/iptables

service iptables restart

Tools to assist you with the iptables configuration:

If this is too complicated for you, you can use tools such as fwbuilder or UFW. Here, we will run you through the UFW Uncomplicated Firewall.

The UFW is a front-end for iptables that makes configuring the firewall easier while working with iptables.

Step 1: Type this command into the terminal to install UFW:

# apt-get install ufw

Step 2: Next, enable the firewall:

# ufw enable

Step 3: enable the default settings.

# ufw default deny incoming
# ufw default allow outgoing

This will deny all incoming connections. To specify which ones to allow – do the following:

Step 4: To allow specific connections. For example, SSH-

# ufw allow ssh

Step 5: ensure the firewall is saved:

# ufw status verbose

Rules may be deleted with the following command:

# ufw delete allow ssh

There! Hope we’ve made this process an easy-to-follow guide for you to configure firewall in Linux.

At ResellerBytes, our primary objective has always been to provide you with powerful, secure and robust hosting solutions. While for the product such as Shared Hosting, we take utmost care to ensure maximum server level security and redundancy, products such as Dedicated Servers and VPS, we can ensure network level security while the OS level control lies in your hands.

Let’s start by first understanding the basic concepts of a web server. A web server, simply put is a computer host configured and connected to the internet, for serving web pages on user requests. Since web servers are open to public access and often contain critical information, it is important to shield them from hackers.

Although Linux-based Operating Systems are relatively more secure and include inbuilt security mechanisms like SELINUX when compared to the others, a small vulnerability or bug can give a hacker easy access to your system. Keeping this in mind, we’ve put together a comprehensive set of steps that you can take to mitigate the risk of getting hacked.

1) Always stay up to date

A great way to ensure maximum server security at all times is to keep your system up to date with the latest bug fixes or the latest version of your Operating System. A good way to keep track of update announcements is to sign up for email alerts. CentOS and Ubuntu have a security mailing list where all security and vulnerability fixes are discussed and released.

2) Verify Permissions

It is essential to review permission settings to ensure that a server remains secure. There are certain files such as the “/etc/passwd”, “/etc/shadow”, “/etc/group” and “/etc/gshadow“files that contain critical user, password and group information. These files have a greater chance of being subjected to malicious attacks.

Several utilities also require read access to the passwd file to function properly, however read access to the shadow file will allow malicious attacks against system passwords, and should never be enabled and should never be enabled.

Below are the default permissions and owners that should be set for these files.

# cd /etc
# chown root:root passwd shadow group gshadow
# chmod 644 passwd group
# chmod 400 shadow gshadow

3) Find unauthorized World Writable files

The following command discovers and prints any world-writable files in local partitions. Run it once for each local partition

# find /tmpxdev -type f -perm -0002 -print

If this command produces any output, fix each reported file file using the command:

# chmod o-w file

Data in world writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.

It is generally a good idea to remove global (other) write access to a file when it is discovered. However, it is always advisable to check relevant documentation for applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account.

4) Set the sticky bit on World Writable directories

Setting the sticky bit prevents users from removing each other’s files. When a sticky-bit is set on a directory, only the owner of a given file is given the right to remove it from the directory. Without the sticky bit, any user with write access to a directory can remove any file from it.

Use the following command to discover and print any world writable files that do not have their sticky bits set.

# find /tmp -xdev –type d \( -perm -0002 -a ! -perm -1000 \) -print

If this command produces any output, fix each reported directory /dir using the command:

# chmod +t /dir

In cases where there is no reason for a directory to be world writable, a better solution is to remove that permission rather than to set the sticky bit.

5) Enable ExecShield

ExecShield helps in reducing the risk of worm or other automated remote attacks. It comprises a number of kernel features to provide protection against buffer overflows. These features include random placement of the stack and other memory regions and special handling of text buffers.

To ensure ExecShield (including random placement of virtual memory regions) is activated at boot, add or correct the following settings in /etc/sysctl.conf:

#kernel.exec-shield = 1

#kernel.randomize_va_space = 1

6) Configure Sudo to improve auditing of Root accessC

The sudo command allows fine-grained control through which users can execute commands using other accounts. The primary benefit associated with the configuration of sudo is that it provides an audit trail of every command run by a privileged user. It is possible for a malicious administrator to circumvent this restriction, but, if there is an established procedure that all root commands are run using sudo, then it is easy for an auditor to detect unusual behavior when this procedure is not followed.

7) Set Strict password requirements

Setting more stringent password requirements can be an additional measure taken to step up server security.

User passwords should be strengthened with the PAM module which can be configured to require at least one uppercase character, lowercase character, digit, and other(special) character,

You can modify your password by following the steps listed below:

  • Locate the following line in /etc/pam.d/system-auth:
  • #password requisite pam_cracklib.so try_first_pass retry=3
  • and then alter it to read (placing the text on one line):
  • #password required pam_cracklib.so try_first_pass retry=3 minlen=14 \dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1

You may also modify the arguments to ensure compliance with your organization’s security policy. Note that the password quality requirements are not enforced for the root account.

8) Install LFD and Config Server Firewall

ConfigServer.com has created a script which by default blocks all ports and provides you the opportunity to allow usage of only those ports on which you have applications running.

Download and install these scripts from configserver.com

Open the config server conf file /etc/csf/csf.conf and modify the below lines to your requirements

# Allow incoming TCP ports
TCP_IN = “22,80”

# Allow outgoing TCP ports
TCP_OUT = “22,25,80”

In the example I have allowed port 22 for ssh, port 80 for http and only outgoing for port 25 since I do not want any other server or client using my server for sending emails.

Also modify the below line to your email address.

#LF_ALERT_TO = your email address

Along with the firewall, LFD will also be installed. LFD is a daemon which scans log files and blocks IP addresses trying to brute force your server.

You can whitelist your IP address in /etc/csf/csf.ignore. Please use caution while executing the above commands and if possible test changes on a demo server.

In addition to the above mentioned security measures, we have introduced SiteLock – a powerful, cloud-based, website protection service that works as an early detection alarm for common online threats like malware injections, bot attacks etc. Stay tuned to our blog for more details.

We hope you found this article useful. Feel free to start a conversation about your take on this post in the comments below. We would love to know your take on this topic!

Start building your website today!

Free Domain with Unlimited Hosting including Website Builder and Branded SSL

Only at $2.5/mo

Discount Up to 50%Get the Best Deals on Hosting

Do you want to try before you buy, a great way to find out. Get a FREE trial here