I’ve been running my server without a firewall for quite some time now, I have a piped instance and snikket running on it. I’ve been meaning to get UFW on it but I’ve been too lazy to do so. Is it a necessary thing that I need to have or it’s a huge security vulnerability? I can only SSH my server from only my local network and must use a VPN if I wanna SSH in outside so I’d say my server’s pretty secure but not the furthest I could take it. Opinions please?
I have about 20 services on my machine so I’m going to need to open a ton of ports (ssh, SSL, multiple higher number ports since some services require several ports). At that point, what is the point of a firewall if so many ports are open? With so many ports open, it seems like a firewall doesn’t add much security vs the complexity it adds.
Sounds like you could use a reverse proxy.
That doesn’t count as a firewall though no? I use traefik as my reverse proxy (and like one thing on nginx that also goes through traefik ultimately) but I still put crowdsec on top
No, but putting a bunch of those services behind a reverse proxy would lower the amount of open ports. It would also have the side effect of making firewall configuration easier, since you don’t need rules for all those ports anymore.
True, I love not having to open ports anymore, game changing.
If someone exploits a service on the machine they can then connect outside that machine on any port. Ufw would prevent this. The router firewall would also likely prevent this unless they used an open port of the router or upnp was enabled.
I recommend fail2ban to stop the automated attacks that are the background noise of the internet. It will set your firewall to block certain ip’s for a while, especially ports 21/22 are getting hammered with dictionary login attempts. And port 80 and 8080 for example get constantly version checked to see if you are vulnerable with an old apache, old dokuwiki etc, so don’t expose more than you need to and maybe learn about ssh tunnels and close a few.
I once installed ossim in a small network with a server and it showed me it is war out there, scripts flying everywhere.
Also get rid of password authentication if you can.
My server is only available on my LAN and via a VPN. Is fail2ban applicable? Or is it mainly for public facing servers?
Only public facing ports, maybe your openvpn login. But that means you are already firewalled up and your attack surface is tiny, good 👍