New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
A plea to all providers: firewall
I kindly request from all providers of LowEndTalk to please include a web firewall on the cloud service page.
Normally I would not request something like this, because customers have a duty to secure their own servers using Linux's "iptables", BSD's "pf" or other firewalls. However:
- not all customers know advanced networking with commands.
- Docker and other easy deployed containers alter the firewall rules in kernel.
- Mythos AI already found thousands of zero-day vulnerabilities in operating systems. Considering other AI models will reach this capacity in a few months, internet will turn into a roller-coaster simply because of how many personal projects are hosted on servers without firewall.
Maybe a firewall in client area will make it easier for customers to limit access towards ports for just their IP if needed (for example SSH and FTP). In my opinion this has become of extreme importance considering the days to come. AI is already making efforts so much easier for hackers, so maybe a firewall can make protection easier for customers. Maybe now is time to think about the firewall approach more intensely. This is just a thought and a request.
Comments
I second and third this.
Well said
Yes a web based firewall should be a must now as it is very easy to mess up iptables or nft for a beginner !!
Yeah, we (onidel) agree with this. We offer built-in firewall at no cost for every VM.
As @default mentioned - it could be easier to manage than a firewall inside VM and it also doesn't interfere with Docker. Glad to see customers making use of it
I really like prebuilt templates for cloudflare, hetrix and all with @onidel makes using it much more easier !!
Basically what you're saying is: when you are a beginner you can f___ up a firewall, so that has to be done by the host you're with.
But even then you can, as a beginner, f___ up lots of other things that can make similar or even more damage.
If you are clueless, are using ChatGPT for system maintenance, or have not outgrown your "my first Sony" VPS: don't start with an unmanaged service like a VPS. Start playing at home with an old computer and Linux. Buy a managed service if you are unsure of your capabilities.
Hmmmm, I think I'd veer the the other way. IMHO you shouldn't be buying an unmanaged Linux server if you have no idea about the basics of security and aren't prepared to learn.
It'd be a good idea if some providers got together and came up with a standard set of recommendations of how to secure a Linux machine (maybe limited to a couple of distros) and just include a link to it with the login details e-mail telling people how to secure a server. That people actually learn something, and honestly blocking SSH takes a few minutes to do yourself, and different people do it different ways for different reasons.
LOL...actually...old models found the same bugs. The whole "Mythos is so terrifyingly powerful" is marketing hype.
A problem here is that you're increasing the support burden for providers.
Automatic firewall = things don't work when someone follows a recipe they googled = tickets.
I agree.
Though on the other hand...don't some distros come with the firewalls turned on an active. I seem to recall some of those yucky rpm-based ones do. Providers could do the same with ufw/nft/whatever and debian.
But ultimately, people need to learn the basics of being a sysadmin if they're going to be a sysadmin.
People who use FTP deserve to be hacked.
And really, what security is a firewall improving here? Certainly not ssh. If someone chooses a bad password, nothing will save them.
If you put in a firewall that blocks everything except 22 and 443, you've still got massive exposure from whatever web apps people put in.
Personally I use a firewall to lock a lot of my apps down so only certain IPs on my VPN can reach them, but your average new user isn't going to do that. You can also setup fail2ban, etc. to limit brutes but again, you've increased the educational requirements on the user.
I think a firewall in many cases is false security.
Maybe we should start issuing VPS licenses like driving licenses. Can't admin? Only shared hosting for you!
From my experience people want "host provided" firewalls with a easy GUI simply because they don't know how to use the OS firewall. It's fine, but especially with AI tools it's really easy to create a ruleset. What if the host-provided firewall, which is usually just a firewall on the host systems, has problems and stops working, you'd never even notice probably since you don't control it (I've had this problem before myself with companies.)
I think it's a great feature to have but using an OS firewall achieves exactly the same results.
Fck mythos ai.
I mean, if you're getting a server instead of some hosted/managed service, you should really know how to do it or at least how to google/use ai to figure it out.
Though I won't lie, it would be nice if there was some separate webui firewall that defaults to dropping all incoming and you have to explicitly open listening ports, even ssh. This way, you don't have to "rush" to set things up with the base os. Also, if your box gets popped somehow and they can escalate to root and add the proper rule(s) to allow something new.
This.
Please omg please no. Usually this is half-assed BS that only knows about TCP, UDP and ICMP (if you're lucky!). And if it supports IPv6, then that's miracles you're witnessing right there.
Firstly, there's often no way to add something like protocol 47 (GRE) or protocol 41 (SIT). Allow all of course doesn't allow them, because only TCP UDP and ICMP.
Secondly, at a certain provider even though it seemingly supported UDP, their interface was so clunky and buggy, as maybe also the entire thing to begin with, there was no way to get WireGuard to work reliably there, so I basically had to write it off.
Do not mess with network, just provide a reliable connection that has not been tampered with in any way!
Experts will always know what to do and won't even rely on such a basic firewall. They will disable it (or leave it disabled or "allow" everything) the moment they see it. A web firewall would be addressing the beginners which in my opinion are many out there. Anything is better than nothing.
Some say the unmanaged services should not be bought by beginners. I can't really comment on such segregation, but what I do know is that multiple features and options are always better, while money from beginners are also valuable because it means more customers for the business and more growth.
They're gatekeeping it. Now 4.7 is all they got for commoners with the next few weeks to months
We have a firewall.
You could probably use something like a Firewall rules generator for basic rules... although I have in mind to make it more complex in the upcoming days...
Shouldn't it be vice versa?
Apps like Pure-FTPd and vsftpd are old and offer quite a limited set of features. Hence should be "rather well polished" and harder to hack since the obvious issues should be fixed already.
Vice-versa would be...hackers deserve to use FTP? As a punishment?
It's a 1970s technology. No encryption. Plain text passwords. Baroque protocol. No support for 2FA.
There's zero reason in 2026 to use FTP. Use SFTP.
ftp and telnet FOREVER
The YOLO protocols.
Real cloud providers have a web firewall by default. This is not the firewall that is used inside instances, but the firewall that controls the rules for your cloud (and all of your virtual machines created in your cloud).
And this is why we can't have nice things
+1 on onidel. their platform is pretty cool and generally easy to use
This would be useful for low end machines where you don't want the CPU dealing with unnecessary packets /interrupts and can run without firewall.
But it adds cost, latency, complexity, and another point of failure.
We don't know how true this is. Every single Claude release is hyped up like that. Anthropic is very good at doomsday hype.
I second this. Not a single web firewall I have ever seen from a provider doesn't have at least one of these problems:
Now, if providers had some dirt simple feature to enable a simple firewall that is the exact equivalent of:
That would work well for the average client who only needs SSH, HTTP, and HTTPS open. Anyone who needs something more should at the very least know how to install a simple firewall frontend like UFW.
Or maybe just set up a minimal UFW config in the OS installation templates by default... Let the customer adjust it.
As @oloke mentioned, we do offer firewall group along with support for IP lists (IP sets).
I understand where some people are coming from when they say it is not necessary and that users of unmanaged services should know how to configure their own firewalls. That's fair to a point.
The fact, at least from experience with our customers, though, is the clients who benefit most from this are businesses (IT SMBs, SaaS providers, etc.), or even freelancers, individual developers. It is not that they do not know how to manage firewalls on their VMs - it's about scale. Once you're managing more than a handful of VMs, configuring and maintaining rules individually on each one quickly becomes tedious and inefficient. On top of that, there are dynamic IP lists that change frequently, such as monitoring services, GitHub Actions, or even internal whitelists. Managing these manually across multiple VMs without a centralised firewall rule set becomes a real pain.You could solve this with automation tools like Ansible, but if the provider offers firewall groups out of the box, that's usually the more straightforward and preferred option - which is the request that we received from lots of customers. There is also a potential bandwidth benefit depending on the platform. In our case, any traffic blocked by the firewall does not count toward your bandwidth usage.
That said, while unmanaged services do come with certain expectations, from a business perspective, we're always looking at ways to improve the user experience. We've supported firewall groups since launch, and IP lists are a more recent addition driven by strong customer demand.
I don't think this is gonna work, connection tracking on the node level for every customer is very very expensive and should not be expected.