Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Firewall on VPS
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Firewall on VPS

DolingoDolingo Member
edited February 2012 in General

Hello:

I'm newby and a would like to secure my VPS. I haven't see many discussions about enabling a firewall in the VPS. Just modify SSH, and keep only required services. Is this correct?
But for me not using a firewall is risky. Can you please share your thoughts about topic?

Comments

  • Iptables is firewall

  • Well, You can use SSH Keys or add a firewall rule in IPTables to allow a select number of IPs into port 22.

    Alternatively if you have a dynamic IP Address you can change the SSH Port and run a firewall like CSF to notify you of bruteforce attacks etc...

  • For what does I need a firewall? I would only bind the services I need to a public port...

    And only using ssh-keys prevent bruteforce monitoring?

  • @Amfy said: For what does I need a firewall? I would only bind the services I need to a public port...

    Indeed. The only thing that I may block is the icmp lol, and maybe some rules with the module "recent" for the DoS stuff.

  • Iptables on KVM/Xen/VMware is easy. Iptables on OpenVZ is a royal pain.

    Because there are no kernel modules in an OpenVZ container, you have to open a support ticket to get them installed and usable on the host system. And they have to configure and install the exact modules you want, so it may take a few attempts to get all the modules you want/need installed and available.

    Then there's the fact that all OpenVZ containers share the system time with the host, so you aren't allowed to configure your container for accurate time keeping.

    And don't expect to just cut 'n' paste some firewall script into your container as OpenVZ doesn't support the standard ethn network interfaces.

  • So without IPtables, which are your choices in an OpenVZ VPS?

  • Hm.. I didn't have any trouble with iptables .. appears to be working. I'm with AlienVPS. I didn't have to open any tickets.. it just works. I just followed a guide like this.

    https://support.eapps.com/index.php?/Knowledgebase/Article/View/125/1/user-guide---using-iptables-to-enhance-security-of-your-vps

  • I've had openvz servers with 7 different hosting companies, and iptables worked on every one of them without me having to ask for any extra modules to be installed. I don't know if they had all the various netfilter modules installed but the basic iptables stuff is pretty standard.

    openvz uses venet0 instead of eth0, but that's not a big deal.

  • So without IPtables, which are your choices in an OpenVZ VPS?

    I described Iptables on OpenVZ as a "royal pain", not impossible. Some vendors (like AlienVPS, as charliecron noted) will have already done the host-side configuration, while others will not.

    The problem with OpenVZ, in this as with so many other topics, is that you can't do it yourself. You are as the mercy of the vendor's techs, with their varying levels of familiarity with the subject on which you need their assistance.

  • Most iptables stuff works, except some advanced weird things lol.

  • or you can use this iptables script generator
    http://www.mista.nu/iptables/
    quite easy to understand

  • all my LEB VPS are centos 6 based. I use CSF firewall on my VPS http://configserver.com/cp/csf.html

  • @Dolingo what are you wanting to protect with the firewall? Surely you just need to secure your ssh.

  • @swsnyder said: Iptables on OpenVZ is a royal pain.

    Oh really? I have never had a problem using IPTables on an OVZ Container.

    @swsnyder said: Then there's the fact that all OpenVZ containers share the system time with the host, so you aren't allowed to configure your container for accurate time keeping.

    You are wrong about this... the OVZ Container's time is certainly based on the host clock, but you have the ability to set your own time, EASILY. Just create a symbolic link for the timezone you'd like your container to follow.

    @Dolingo, just use IPTables; it usually comes standard and is very easy to use.

  • @AsuraHosting said: You are wrong about this... the OVZ Container's time is certainly based on the host clock, but you have the ability to set your own time, EASILY. Just create a symbolic link for the timezone you'd like your container to follow.

    You are wrong, sir.

    Setting time has nothing to do with timezones, it's the unixtime we're talking about, and that can only be changed from host node. So if provider isn't running ntpd, well, bad luck.

  • @mina convince the provider to run ntpd.

  • @mina said: Setting time has nothing to do with timezones, it's the unixtime we're talking about, and that can only be changed from host node. So if provider isn't running ntpd, well, bad luck.

    What am I wrong about? Your response is not relevant to mine.

    As I stated, the OVZ Container is based on the host clock. I would expect, as a host; they would use rdate or ntpdate to accurately run their own automated processes on the host at selected times via cron, etc. So it should already be a given; else they are a kiddy host and really do not know what they are doing.

    I was responding to this:

    @swsnyder said: Then there's the fact that all OpenVZ containers share the system time with the host, so you aren't allowed to configure your container for accurate time keeping.

    You can easily change the timezone that you like for your individual container by providing a symbolic link.

    So I ask you, what was I wrong about?

  • minamina Member
    edited February 2012

    Eh.

    I see you expect a lot, but you answerred to accurate time keeping with timezones.

    @swsnyder said: Then there's the fact that all OpenVZ containers share the system time with the host, so you aren't allowed to configure your container for accurate time keeping.

    You answerred to this with timezone nonsense, I corrected that you're wrong, which is the fact. Timezones have nothing to do with time keeping, do you agree?
    Now, if you do, we can agree that your initial response was false, and my response is really relevant when trying lose all the false information.

    I'll add your initial response here, in case you forgot it.

    but you have the ability to set your own time, EASILY. Just create a symbolic link for the timezone you'd like your container to follow.

    And just for the sakes of it, ntpdate is deprecated! ntpd is preferred.

  • @mina,

    Read my 2nd response and understand it. That is all.

  • @eva2000 I am dumb and tl;dr; that CSF stuff. Is a firewall not based in iptables? Or is a frontend for it.

  • eva2000eva2000 Veteran
    edited February 2012

    CSF does frontend for iptables but does more including lfd

    see http://configserver.com/free/csf/readme.txt

  • @eva2000 Ty man

  • SpiritSpirit Member
    edited February 2012

    Is this you subtle way to find out is eva is a woman? :)

  • @Spirit said: Is this you subtle way to find out is eva is a woman? :)

    Oooops you got me... LOL

    No, http://vbtechsupport.com/ unless George is a Woman... xD

  • Is this you subtle way to find out is eva is a woman? :)

    hahaha lol

Sign In or Register to comment.