Firewall and Security config query

Webha

New member
Joined
Nov 17, 2022
Messages
12
hI, this is my first time using linux so don't have good knowledge on linux and commands.

When using Vultr or DO droplet + ubuntu,

Do you need three firewalls: UFW, CSF and fail2ban altogether? I enabled UFW, CSF and also installed Fail2ban. Is using CSF necessary if UFW and fail2ban is installed?

Then I did:

ufw allow 80
ufw allow 443
ufw allow ssh.

Then did "Ufw default deny incoming". Will this command affect visitors finding my website? I understand it denies incoming traffic, but does it deny traffic to website or denies people trying to brute force into my vps?

My VPS is for running sites, nothing else but confused about firewall and other security measures like ddos stuff.

Things I did until now:

changed ssh port
disabled root login
created another user, gave sudo
disabled password login
wireguard to access
installed all 3 firewall stuff: UFW, CSF, fail2ban (is using CSF necessary if UFW and fail2ban is installed?)

Also Vultr and DO have GUI firewall settings in their site. What is the difference doing directly from there vs using terminal?

Anything else I need to do to fully tighten security?
 

johannes

Verified User
Joined
Feb 18, 2007
Messages
526
We have CSF because its interact flawless with DA-BFM, scans also WP logs and have many more functions. So fare i am aware, it replaces both, UFW and fail2ban. Cannot speak for UFW, never used it.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
9,550
Location
Maastricht
installed all 3 firewall stuff: UFW, CSF, fail2ban (is using CSF necessary if UFW and fail2ban is installed?)
Agreed with @johannes on this. Multiple firewalls can even cause issues. CSF/LFD can do anything the others do and work together with DA's BFM so imho no need to use others.

If you want more security maybe you can think of modsec too. However I can't advise you on settings because I don't use that.
 

Webha

New member
Joined
Nov 17, 2022
Messages
12
We have CSF because its interact flawless with DA-BFM, scans also WP logs and have many more functions. So fare i am aware, it replaces both, UFW and fail2ban. Cannot speak for UFW, never used it.

Agreed with @johannes on this. Multiple firewalls can even cause issues. CSF/LFD can do anything the others do and work together with DA's BFM so imho no need to use others.

If you want more security maybe you can think of modsec too. However I can't advise you on settings because I don't use that.
Okay. Does directadmin give you the option to install CSF or it installs automatically along with the package?

I was reading a post a couple of days earlier, that fail2ban is must for either CSF or UFW. That's why I asked.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
9,550
Location
Maastricht
Does directadmin give you the option to install CSF or it installs automatically along with the package?
On new installs, CSF/LFD will be installed together with Directadmin. If all is well you can see the CSF plugin in your admin panel.

that fail2ban is must for either CSF or UFW. That's why I asked.
I would like to see such post because it's odd. Fail2ban can't do anything that CSF can. So until somebody has proove that Fail2ban has some option which is not available with CSF, there is no need and no use to run both. However, it's your choice.
Just if you have problems with something, don't forget to mention you are running both.

If you ask me, it's either Fail2ban+UWF or CSF/LFD+iptables where iptables/nftables is in fact configured by CSF/LFD.
 

Webha

New member
Joined
Nov 17, 2022
Messages
12
On new installs, CSF/LFD will be installed together with Directadmin. If all is well you can see the CSF plugin in your admin panel.


I would like to see such post because it's odd. Fail2ban can't do anything that CSF can. So until somebody has proove that Fail2ban has some option which is not available with CSF, there is no need and no use to run both. However, it's your choice.
Just if you have problems with something, don't forget to mention you are running both.

If you ask me, it's either Fail2ban+UWF or CSF/LFD+iptables where iptables/nftables is in fact configured by CSF/LFD.
Thanks for clearing that.

Other than that firewall stuff, I did some other stuffs to secure the VPS:

changed ssh listening port
disabled root login
created another user, gave sudo
disabled password login
google mfa

anything else needed to do?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
9,550
Location
Maastricht

EthernetServers

Verified User
Joined
Dec 5, 2020
Messages
75
As you mention Vultr and DO, you could use their network level firewalls if you wanted to:


This way, you would prevent packets from reaching your server's kernel.

Generally speaking, it's advisable to block all ports, and only open those that you need - i.e. apache, ssh, etc.
 

Webha

New member
Joined
Nov 17, 2022
Messages
12
As you mention Vultr and DO, you could use their network level firewalls if you wanted to:


This way, you would prevent packets from reaching your server's kernel.

Generally speaking, it's advisable to block all ports, and only open those that you need - i.e. apache, ssh, etc.
The GUI of DO and vultr? Yeah it seems pretty straight forward compared to manually installing csf or ufw and then configuring. Is there any difference between configuring here and manually installing via terminal?
 

EthernetServers

Verified User
Joined
Dec 5, 2020
Messages
75
The GUI of DO and vultr? Yeah it seems pretty straight forward compared to manually installing csf or ufw and then configuring. Is there any difference between configuring here and manually installing via terminal?

The main benefit of using DO's or Vultr's firewall is that the packets don't reach your server.

Let's say someone is attacking port 1234 on your server, and you have configured the OS to block that port: If the amount of attack traffic is modest*, your server may be able to keep up just fine, blocking access to port 1234.

But if we're talking about a large* attack, there's only so much the kernel can handle before the performance will start to suffer. It has to use CPU, Disk I/O etc to do its thing, after all.

By blocking traffic before it reaches the server (i.e. using the DO or Vultr firewall), you don't have to deal with the performance consequences - your server can use its resources to do what it needs to do for legitimate traffic instead of dealing with that AND malicious traffic.

* Definitions of "modest" and "large" will vary; all servers are different and have different limits based on their software and hardware configurations.

And I mean, a web GUI, for many people, will be the easier option anyway. No need to be researching iptables/ufw/firewalld syntax :)
 

Webha

New member
Joined
Nov 17, 2022
Messages
12
The main benefit of using DO's or Vultr's firewall is that the packets don't reach your server.

Let's say someone is attacking port 1234 on your server, and you have configured the OS to block that port: If the amount of attack traffic is modest*, your server may be able to keep up just fine, blocking access to port 1234.

But if we're talking about a large* attack, there's only so much the kernel can handle before the performance will start to suffer. It has to use CPU, Disk I/O etc to do its thing, after all.

By blocking traffic before it reaches the server (i.e. using the DO or Vultr firewall), you don't have to deal with the performance consequences - your server can use its resources to do what it needs to do for legitimate traffic instead of dealing with that AND malicious traffic.

* Definitions of "modest" and "large" will vary; all servers are different and have different limits based on their software and hardware configurations.

And I mean, a web GUI, for many people, will be the easier option anyway. No need to be researching iptables/ufw/firewalld syntax :)
Let's say I use the web gui to add port 443, 80 and my custom ssh port. Will I have to do anything with CSF that direct admin automatically installs? I mean manually configure CSF myself or it will be auto configured?
 
Top