Firewall - what's best, CSF or cloud firewall?

myhken

Hello.

Just started using cloud hosting with iwStack.com and I'm now done with lots of testing around deploying of servers, snapshots, templates etc etc.

I know one of the best thing with using iwStack cloud, is the isolated networks, firewall, load balancing, fail-over, IPsec VPN etc.

Today I using the CSF firewall on all my VPS servers. I only allow a few numbers of ports on my servers. it's pretty simple since I never use any mail or DNS on them, only HTTP, SSH (not using port 22) and FTP.

Still, will I benefit of using the cloud firewall on my servers? It will cost more money, since I need a Virtual Router for private network that they charge €4.32/mo for. (not sure if thats only for the private network and a firewall, or if I have to pay €4.32 per server connected to my Virtual Router)

What do you think? Is CSF good enough for my servers?

dedicados

Cloud firewall is a service from iwstack? or you get it from other place?

myhken

@dedicados said:
Cloud firewall is a service from iwstack? or you get it from other place?

It's one of the features of using iwStack cloud. So it will only work on my servers that I have in the cloud, not my servers with other hosts.

pbalazs123

CSF is an awesome stuff.

MrObvious

csf..isn't...a....firewall.....

ErawanArifNugroho

How about using it both? Cloud firewall for securing/opening only specific port from the iwstack, and adding csf for banning the failed login?

dedicados

CSF can secure/open/close only some ports, and have many more stuff...

failed logins, port scan, block whole country, pop3/imap protection, etc..

i have been use them for many years and works great.

myhken

@ErawanArifNugroho said:
How about using it both? Cloud firewall for securing/opening only specific port from the iwstack, and adding csf for banning the failed login?

Thats what I'm asking about, is it really worth the extra price using a network firewall on top of CSF? Or do CFS do a so good work, that I don't need to pay for any extra?

MassNodes

Why has no one recommended Vyatta yet?

ErawanArifNugroho

@myhken said:
Thats what I'm asking about, is it really worth the extra price using a network firewall on top of CSF? Or do CFS do a so good work, that I don't need to pay for any extra?

Well, when I'm using iwstack, I just use the firewall to limit the opened port, and restrict access to only specified IP address. While it's still vulnerable to ddos or anything that tried to bruteforce, I just use csf for extra security.

The firewall in the iwstack is comes as free.

budi1413

@MrObvious said:
csf..isn't...a....firewall.....

It's a management script for iptables.

bobby

The virtual router isn't just for firewalling.

Remember that you don't pay for public ipv4 for instances deployed within your own lan, so if you have a few, you will actually save some money by using it.

Babah

@MrObvious said:
csf..isn't...a....firewall.....

correct! its configserver security & firewall

hdpixel

This is what CSF is doing for me while I sleep. mod_sec + csf =

Time:     Sun Jan  5 08:07:42 2014 -0800

IP:       217.69.133.236 (RU/Russian Federation/fetcher4-3.p.mail.ru)

Failures: 5 (mod_security)

Interval: 3600 seconds

Blocked:  Temporary Block

Log entries:

[Sun Jan 05 08:00:00 2014] [error] [client 217.69.133.236] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W?\\/c)|d(?:\\b\\W?[\\\\/]|\\W?\\.\\.)|hmod.{0,40}? ..." at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "146"] [id "1234123446"] [msg "System Command Injection"] [data "; mail"] [severity "CRITICAL"] [tag "WEB_ATTACK/COMMAND_INJECTION"] [hostname "www.domain-name-removed.com"] [uri "/file.htm"] [unique_id "UsmBgMC4WcAAADFTP04AAAAJ"]