Firewall and Security config query

W

Webha

New member
Joined
Nov 17, 2022
Messages
12
hI, this is my first time using linux so don't have good knowledge on linux and commands.

When using Vultr or DO droplet + ubuntu,

Do you need three firewalls: UFW, CSF and fail2ban altogether? I enabled UFW, CSF and also installed Fail2ban. Is using CSF necessary if UFW and fail2ban is installed?

Then I did:

ufw allow 80
ufw allow 443
ufw allow ssh.

Then did "Ufw default deny incoming". Will this command affect visitors finding my website? I understand it denies incoming traffic, but does it deny traffic to website or denies people trying to brute force into my vps?

My VPS is for running sites, nothing else but confused about firewall and other security measures like ddos stuff.

Things I did until now:

changed ssh port
disabled root login
created another user, gave sudo
disabled password login
wireguard to access
installed all 3 firewall stuff: UFW, CSF, fail2ban (is using CSF necessary if UFW and fail2ban is installed?)

Also Vultr and DO have GUI firewall settings in their site. What is the difference doing directly from there vs using terminal?

Anything else I need to do to fully tighten security?
 
We have CSF because its interact flawless with DA-BFM, scans also WP logs and have many more functions. So fare i am aware, it replaces both, UFW and fail2ban. Cannot speak for UFW, never used it.
 
Webha said:
installed all 3 firewall stuff: UFW, CSF, fail2ban (is using CSF necessary if UFW and fail2ban is installed?)
Click to expand...
Agreed with @johannes on this. Multiple firewalls can even cause issues. CSF/LFD can do anything the others do and work together with DA's BFM so imho no need to use others.

If you want more security maybe you can think of modsec too. However I can't advise you on settings because I don't use that.
 
johannes said:
We have CSF because its interact flawless with DA-BFM, scans also WP logs and have many more functions. So fare i am aware, it replaces both, UFW and fail2ban. Cannot speak for UFW, never used it.
Click to expand...

Richard G said:
Agreed with @johannes on this. Multiple firewalls can even cause issues. CSF/LFD can do anything the others do and work together with DA's BFM so imho no need to use others.

If you want more security maybe you can think of modsec too. However I can't advise you on settings because I don't use that.
Click to expand...
Okay. Does directadmin give you the option to install CSF or it installs automatically along with the package?

I was reading a post a couple of days earlier, that fail2ban is must for either CSF or UFW. That's why I asked.
 
Webha said:
Does directadmin give you the option to install CSF or it installs automatically along with the package?
Click to expand...
On new installs, CSF/LFD will be installed together with Directadmin. If all is well you can see the CSF plugin in your admin panel.

Webha said:
that fail2ban is must for either CSF or UFW. That's why I asked.
Click to expand...
I would like to see such post because it's odd. Fail2ban can't do anything that CSF can. So until somebody has proove that Fail2ban has some option which is not available with CSF, there is no need and no use to run both. However, it's your choice.
Just if you have problems with something, don't forget to mention you are running both.

If you ask me, it's either Fail2ban+UWF or CSF/LFD+iptables where iptables/nftables is in fact configured by CSF/LFD.
 
Richard G said:
On new installs, CSF/LFD will be installed together with Directadmin. If all is well you can see the CSF plugin in your admin panel.


I would like to see such post because it's odd. Fail2ban can't do anything that CSF can. So until somebody has proove that Fail2ban has some option which is not available with CSF, there is no need and no use to run both. However, it's your choice.
Just if you have problems with something, don't forget to mention you are running both.

If you ask me, it's either Fail2ban+UWF or CSF/LFD+iptables where iptables/nftables is in fact configured by CSF/LFD.
Click to expand...
Thanks for clearing that.

Other than that firewall stuff, I did some other stuffs to secure the VPS:

changed ssh listening port
disabled root login
created another user, gave sudo
disabled password login
google mfa

anything else needed to do?
 
As you mention Vultr and DO, you could use their network level firewalls if you wanted to:

www.vultr.com

Vultr Firewall

We are simplifying the cloud. One Login, 16 Countries, 27 Cities, Infinite Possibilities.
www.vultr.com www.vultr.com

Firewalls Quickstart :: DigitalOcean Documentation

Just the essentials to go from zero to working in a few minutes. Relevant terms:
docs.digitalocean.com docs.digitalocean.com

This way, you would prevent packets from reaching your server's kernel.

Generally speaking, it's advisable to block all ports, and only open those that you need - i.e. apache, ssh, etc.
 
EthernetServers said:
As you mention Vultr and DO, you could use their network level firewalls if you wanted to:

www.vultr.com

Vultr Firewall

We are simplifying the cloud. One Login, 16 Countries, 27 Cities, Infinite Possibilities.
www.vultr.com www.vultr.com

Firewalls Quickstart :: DigitalOcean Documentation

Just the essentials to go from zero to working in a few minutes. Relevant terms:
docs.digitalocean.com docs.digitalocean.com

This way, you would prevent packets from reaching your server's kernel.

Generally speaking, it's advisable to block all ports, and only open those that you need - i.e. apache, ssh, etc.
Click to expand...
The GUI of DO and vultr? Yeah it seems pretty straight forward compared to manually installing csf or ufw and then configuring. Is there any difference between configuring here and manually installing via terminal?
 
Webha said:
The GUI of DO and vultr? Yeah it seems pretty straight forward compared to manually installing csf or ufw and then configuring. Is there any difference between configuring here and manually installing via terminal?
Click to expand...

The main benefit of using DO's or Vultr's firewall is that the packets don't reach your server.

Let's say someone is attacking port 1234 on your server, and you have configured the OS to block that port: If the amount of attack traffic is modest*, your server may be able to keep up just fine, blocking access to port 1234.

But if we're talking about a large* attack, there's only so much the kernel can handle before the performance will start to suffer. It has to use CPU, Disk I/O etc to do its thing, after all.

By blocking traffic before it reaches the server (i.e. using the DO or Vultr firewall), you don't have to deal with the performance consequences - your server can use its resources to do what it needs to do for legitimate traffic instead of dealing with that AND malicious traffic.

* Definitions of "modest" and "large" will vary; all servers are different and have different limits based on their software and hardware configurations.

And I mean, a web GUI, for many people, will be the easier option anyway. No need to be researching iptables/ufw/firewalld syntax :)
 
EthernetServers said:
The main benefit of using DO's or Vultr's firewall is that the packets don't reach your server.

Let's say someone is attacking port 1234 on your server, and you have configured the OS to block that port: If the amount of attack traffic is modest*, your server may be able to keep up just fine, blocking access to port 1234.

But if we're talking about a large* attack, there's only so much the kernel can handle before the performance will start to suffer. It has to use CPU, Disk I/O etc to do its thing, after all.

By blocking traffic before it reaches the server (i.e. using the DO or Vultr firewall), you don't have to deal with the performance consequences - your server can use its resources to do what it needs to do for legitimate traffic instead of dealing with that AND malicious traffic.

* Definitions of "modest" and "large" will vary; all servers are different and have different limits based on their software and hardware configurations.

And I mean, a web GUI, for many people, will be the easier option anyway. No need to be researching iptables/ufw/firewalld syntax :)
Click to expand...
Let's say I use the web gui to add port 443, 80 and my custom ssh port. Will I have to do anything with CSF that direct admin automatically installs? I mean manually configure CSF myself or it will be auto configured?
 
You must log in or register to reply here.
Back
Top