Does Your Cloud Server Need a Firewall?

Illustration of firewallShutterstock / Anatolir

A firewall is a network utility that runs on your server and prevents strangers from using certain ports. This makes it a useful security tool to prevent attackers from gaining access to processes they shouldn’t. Does your server need it?

Open only the ports you need, firewall the rest

The services that you run on your server connect to the outside world through ports. Each port has a number and the service will listen for connections on that port number. This is not always a security risk, as you will often need to open ports for users to access your service.

Ports 80 and 443 are the default ports for HTTP and HTTPS. If you are using a web server, it must be open. Port 22 will likely be open on any new Linux installation, as this is the default SSH port. You can close this port, but you’ll have to move SSH to another port (which is a good idea anyway).

Without a firewall in place, any service that starts a connection will be allowed to access any port by default. It is best to define your rules to prevent this from happening and to ensure that nothing unexpected happens on your system. This is exactly what a firewall does: set the rules for how the processes on your server can communicate with the outside world.

To check which ports are currently open on your system, you can run:

sudo netstat -plnt

Or, if you want a more concise output:

sudo netstat -plnt | grep “LISTEN” | awk ‘{print $ 4 ” t” $ 7}’

These commands will list each open port, as well as the process that uses that port. Netstat only displays the PID and filename of the process, so if you need the full path you will need to pass the PID to the ps command. If you need to scan ports without accessing the server, you can use the client side utility nmap.

Anything that is not specifically used to host a service should be closed by a firewall.

If everything running on your system is supposed to be open, you might not need a firewall. But without one, any unused port could easily be opened by a new process you install. You will need to make sure that no new services need to be locked.

Don’t run your services on public IP addresses in the first place

Prevent everyone from accessing services by locking out connections to your virtual private cloud.

A firewall is a great security tool, but some services should not be accessible to the whole world. If a port needs to be opened, that service is vulnerable to brute force attacks and other nasty issues. But you can prevent this by locking down connections to your virtual private cloud.

Databases are the best example. A database like MySQL must have an open port for administrative connections. But if the only thing that talks to the database is your web server (and you, during maintenance), you should keep MySQL private and only allow it to talk to the web server. If you need to access it, you can SSH on the web server and access the rest of the network from there.

How to configure a firewall

If you are using a managed hosting service like Amazon Web Services or Digital Ocean, your provider may have a firewall that you can manage from a web interface. If this is an option, you must configure your firewall that way.

AWS, in particular, requires you to use its firewall, which is managed with security groups. The ports are all closed by default (except for port 22), so you will need to open them manually from their interface. You can modify the security groups for any running instance from the EC2 management console and modify the inbound rules.

In AWS, you can edit security groups for any running instance from the EC2 management console and edit inbound groups

AWS allows you to specify the source of the rule, so you can, for example, lock SSH only to your personal IP address or make the connection between your database server and your web server private.

RELATED: A Beginner’s Guide to iptables, the Linux Firewall

If you are using other providers such as Linode or standard hosting, you will need to configure the firewall yourself. The easiest way to do this is to use the iptables utility.

If you are running a Windows server, you will need to configure the aptly named firewall window, which you can do from the Windows Management Console or by using netsh.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.