Results 1 to 21 of 21
  1. #1

    Firewall Questions

    I posted a question about server specs a couple of minutes ago. Now I've got another on firewalls. Currently, we're hosting our domains on a Verio shared server. So, I have no experience with firewalls. (Btw, I don't know what kind of security they have, but we've never had a problem.)

    I'm hosting about 70 accounts now - going up to about 110 by year's end. Will I need a firewall on the dedicated server?

    I plan on using Plesk. Currently they don't support firewalls (I think). So, I'm assuming a software solution is out of the question. Is that right? If not, how difficult is it to maintain the firewall?

    Rackspace is offering a variety of managed firewalls. They all cost about $300+/month. Is that reasonable?

    If I need one and the price is reasonable, what's the difference between the different firewalls? In particular, info on NetScreen 5 Elite and Cisco Pix 506 would be appreciated. And, if there are others that are better I'd like to hear about them as well.

    Thanks in advance,
    Steve

  2. #2
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,205
    Most likely you will not need a firewall on your server. A firewall can sometimes be useful, but in a shared hosting environment, it is the last thing you should be worried about.

    The following are more important steps to securing a web server:

    1. Disable Unused Ports -- your webserver should only accept connections on ports 80, 443, and 22. If you are going to have it double as a mail server add in 25 and 110, if you are going to have it serve as a DNS server as well add 53. You will also have to allow connections on 20/21 since most people still use FTP .

    2. Subscribe to bugtraq, or some other security database so you can find out vulnerabilities as soon as they are reported....then update your software!

    3. Run some sort of log checking software, that is going to monitor your logs for suspicious activity.

    4. Run a HIDS, to watch for unauthorized connections.

    5. Restrict file permissions as much as possible, and give out SSH access very sparingly.

    6. Don't run any processes as root, and delete unneccessary accounts (like the games account).


    I'm sure there are others which escape me at the moment, but the point is a properly secured web server will be much more effective than a firewall.

  3. #3
    you should run ipchains or iptables on your server to have full control over firewall rules and to avoid high managed-firewall fees from your colo provider.

    ps. always remember that site security is not just a firewall... patching, patching is the most important part
    Last edited by Chicken; 06-14-2002 at 01:51 AM.

  4. #4
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,205
    Originally posted by apollo
    you should run ipchains or iptables on your server to have full control over firewall rules and to avoid high managed-firewall fees from your colo provider.
    Debatable. In the case of most small providers, or hosts just getting started so many services are running on the box, that a firewall -- especially one on the server -- is going to provide little benefit.

    A firewall won't stop an attacker from exploiting a buggy CGI script, or a web site with bad permissions. A firewall won't stop bad passwords from being created by users, it certainly won't help the fact that pop/FTP passwords will be sent clear text, etc.

    I would agree with your satement for a dedicated DNS server, or a dedicated mail relay server, I would especially agree for a dedicated database server -- but a box that will be used for all of these functions is better served by following the guidelines above then by adding a firewall.

  5. #5
    So, why would I want a firewall? What would that protect the server from?

    Can I expect a managed dedicated provider (like RackSpace) to disable the unused ports for me, or is that the kind of thing we'll need to do?

    And, what other security measures should we take? Do we need virus protection software?

    Also, we'll be using Plesk. I was under the impression that Plesk modifies the system such that we can't/shouldn't apply patches, etc. until Plesk incorporates them into an update.

    Can you give me a bit more direction on what security database to subscribe to (for RedHat 7.2), what is a good log checking program, and on HIDS (what is it)?

    Thanks for the info so far - its exactly the kind of info I've been looking for.

    Thanks again,
    Steve

  6. #6
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,205
    Kurt Seifried has a pretty good overview of firewalls:

    http://www.seifried.org/security/net...-overview.html

    Generally, companies that use firewalls use them to filter unwanted packets. Take a look at this article by Jeffrey Howard for some more information:

    http://www.burningvoid.com/iaq/firewall-type.html

    Here's the problem -- and this is very arguable, so others may think different -- a packet filtering type firewall is good at stopping unwanted traffic, especially flooding type attacks. When that firewall is located directly on the server...the request still has to be processed by the server so the server may get flooded.

    A seperate firewall, can do a more effective job -- but flood-type attacks are not your biggest concern as a new host...your biggest concern are all the things I listed above. In your case, you are better off running without a firewall and hardening your server.

    As far as what a managed provider will and won't do when it comes to securing your server...ask them. They should be able to give you a checklist of the security precautions they take.

    For RedHat subscribe to the RedHat Network and use their up2date program...run it religously, because RedHat has been pretty good about keeping up with updates. Also check out BugTraq for non-Redhat security holes:

    http://online.securityfocus.com/archive/1

    HIDS=Host-based intrusion detection system. It is used to monitor incoming requests looking for weirdness. If weirdness is detected it will issue an alert warning you there may be trouble.

  7. #7
    You all likely know a lot more about running servers than I do, but I put a firewall on my box and am quite happy that I did.

    Maybe I'd never get someone scanning my ports, maybe there wouldn't be a way in if they did.

    But it takes 10 minutes to set up and gives me a little more piece of mind.

  8. #8
    Join Date
    Apr 2001
    Location
    Amsterdam
    Posts
    52

    Re: Firewall Questions

    Originally posted by weblined
    Will I need a firewall on the dedicated server?
    IMHO, it would be naive to run a server without a firewall. Search for ipchains or iptables or Bastille. They allow you to block or restrict access to any ports on your server and much more.

    I plan on using Plesk. Currently they don't support firewalls (I think). So, I'm assuming a software solution is out of the question.
    Plesk should run just fine with a software firewall.

    Is that right? If not, how difficult is it to maintain the firewall?
    Depends, you must be able to configure it, but I (as a Linux newbie) had no problem doing that with the great help on the rackshack forum.

    Jan Derk

  9. #9
    You should also keep in mind that no matter what firewall you use (Netscreen, Cisco, etc), it is going to add latency to your server. The more you have your firewall do, the more latency it is going to add. In the case of a single server, a firewall might not be the best choice for a few reasons:

    1) You don't need to block off certain ports at the firewall--simply close the service on the machine if you don't need it.

    2) You're not trying to keep users on your server from accessing certain parts of the internet (I.E. preventing employees from surfing the web while at work).

    3) You're essentially setting up a single point of failure for your entire network (yes, it is only one server right now--but when you have three or 10 servers, what happens if your firewall has a problem?). In the case of web hosting, access to the Internet is not only critical to your business, it is your business. You don't want to be setting up "choke points" for your entire network if you don't have to.

    4) A Netscreen 5 Elite and Cisco PIX 506 are *not* going to be able to stop a sizeable flood any more than your server is (especially if you choose an OS with a good TCP/IP stack such as FreeBSD). If your server is getting DoS'd, I can almost guarantee you that you are going to have to ask your upstream to block the attack for you (and besides, that way you don't have to pay for the bandwidth caused by the flood).

    In my opinion, one of the best ways to increase security on a server or a network is to do what uuallan suggested--and that is to setup a HIDS (or NIDS, in the case of an entire network).

    These types of systems are more passive than a firewall because they watch connections that are already in progress and do not examine each packet before letting them through. For this reason, you can run quite a bit more analysis on a packet without fear of adding any latency to the connection (aside from the increased load on your server from the analysis process). Of course the downside to that is that by the time your HIDS alerts you of some suspicious activity on your server, the damage may have already been done. However the trade-off is that hopefully the HIDS will be able to catch many attacks/scans that a standard firewall doesn't know about.

    One of the better-known IDS's is called Snort (www.snort.org). Snort runs on your server and watches all of the packets received by your network card. It then examines each packet and compares them with rulesets that you can customize. Many of the Snort rules can do things that most firewalls can't. You can setup rules to notify you when someone is attempting a specific CGI script exploit (I.E. FormMail Spamming), or when someone logs on to a specific IRC server, etc. Because it can examine the contents of each packet, you can write rules that will make intelligent decisions based on a specific protocol as opposed to simply looking at the packet's headers (source/destination/ports) as most firewalls do. In my opinion, this is a much more effective solution than an "out of the box" firewall appliance. You get a more intricate and more intelligent system without adding much latency to the connection--which in the end, is going to be one of the most important factors as far as your customers are concerned.

    Don't get me wrong, there are many places where a commercial firewall system--such as those you mentioned--will come in handy. There is no question that having such a device in place will help improve security on your server/network. But you have to ask yourself if the pros outweigh the cons (and yes, there are definitely both in this situation). When your entire business depends on this one single appliance doing its job correctly and quickly seven days a week, I would advise you to be thorough and do plenty of research before making a decision.

    Hope that helps.
    Matt Lightner - http://www.mattlightner.com/
    - First initial to the last name at the mail service provided by the world's largest search engine
    - Founder and CEO (Former) Site5.com, sold in 2008
    - Really honestly wants to be a good WHT citizen but can never remember all the correct etiquette. Mods, sorry in advance

  10. #10
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,205

    Re: Re: Firewall Questions

    Originally posted by janderk
    IMHO, it would be naive to run a server without a firewall. Search for ipchains or iptables or Bastille. They allow you to block or restrict access to any ports on your server and much more.
    You can block access to ports by not enabling the service. I don't see any benefit that an on-the-server firewall can provide you over a properly secured server with a HIDS.

    Your experience has been different, so I'd like to know in what manner this firewall has benefitted you?

  11. #11
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    Matt's post is one of the reasons why I do business with Site5.

  12. #12
    What he posted sounded very thorogh (sp?) but many of us do not have the options that he put on the table.

    I have the firewall on the server to keep people I don't want in it, out. (i hope) Any site that gets a true DOS will likely fall. If they can bring down the REALLy big boys such as Yahoo and Ebay, I don't think they'll have much problem with my wimpy server if they really tried. What I hope the firewall will achieve is keeping them from using my machine against someone else.

  13. #13
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,205
    Originally posted by Shin
    What he posted sounded very thorogh (sp?) but many of us do not have the options that he put on the table.
    What options do you not have?


    What I hope the firewall will achieve is keeping them from using my machine against someone else.
    A firewall won't stop that, and that is one of the concerns I have about people that use IPTables as an end-all solution. They become too reliant on one piece of software to manage their security. If an attacker is able to root your box -- which won't necessarily violate any of the rule sets of the firewall -- it is a trival matter to then disable IPTables and use your box to launch attacks.

    Matt made an excellent suggestion with snort. There are a lot of databases out there that develop signatures for snort (http://www.whitehats.com/ids/ is my favorite). Run snort with one of the these databases and if a connection attempt matches any of the signatures it will alert you. The downside, as Matt pointed out, is that you may get the alert too late.

  14. #14
    Once again, thanks for all of the information. What I'm hearing loud and clear is that if the purpose of the server is to host web sites, then a firewall will most likely slow down the apparent speed of the server, and not necessarily offer the best protection, especially against the most likely attacks.

    Instead I should (thanks to uuallan):

    1) Disable unused ports.
    2) Apply security patches as soon as they become available.
    3) Run log checking software.
    4) Run a HIDS
    5) Restrict permissions
    6) Don't run processes as root.

    1,5,6 - those are absolutely clear to me.

    2 - I'm still concerned about patching the OS once the server's been taken over by Plesk. Does anyone who uses Plesk have experience with this? The sales rep at RackSpace indicated that they notify customers when patches are available, recommend which patches to install (based on Plesk's recommendations), and install patches upon request.

    3 - If this was answered already, my apologies, but what is a good log checking software.

    4 - I'm looking into snort.org now - thanks Matt.

    I still have a few security questions:
    Do I need virus protection software on the server? If so, will it run with Plesk on the server?

    Are there other ways to secure the server (not including the 6 items above and firewalls)?

    What kind of attacks do I need to worry about? Where can I find more information on them? And, how likely are they?

    Thanks again for all of the help,
    Steve

  15. #15
    One more question:

    I'm not discounting the folks who are recommending a firewall. But, what kind of protection would a firewall offer that the other methods described in this thread don't? Specifically, what benefits would I get from running a firewall on a server whose primary purpose is web hosting?

    Thanks again,
    Steve

  16. #16
    Join Date
    Apr 2001
    Location
    Amsterdam
    Posts
    52
    Originally posted by weblined
    what kind of protection would a firewall offer that the other methods described in this thread don't?
    A firewall would allow you to limit access to services like ssh and ftp to a single ip address or a small range only.

    Running a firewall is just another lock on your server door. And why not use it, if it is (very likely) already installed on your server?I'm talking a software firewall (like iptables) not a hardware one which I agree probably does not justify it's additional costs in your situation.

    For the automatic log checking, take a look at logsentry.

    JD
    Last edited by janderk; 06-14-2002 at 01:21 PM.

  17. #17
    Join Date
    Apr 2002
    Location
    AU
    Posts
    1,048
    What is it you want to firewall?

    Scanning
    Unauthorised Access
    Packet Kiddy attacks?

    I firewall for all 3.

    I have a firewall at my upstream provider to prevent DDoS attacks. The closer you have this firewall to the border, the more effective it will be. I also have remote access to the router, so I can add ACL's at will.

    For my webhosting servers, I use ipfw (FreeBSD) and ipchains (Redshat) to block all ports which are not of use, to block all requests on the SSHd port which do not come by way of my own IP's and allow only my IP for certain daemons I run which only I should be granted access to.

    I also run an IDS for fun, and software-based firewalling for packet kiddy attacks.

    Firewalls in some cases can also be great for traffic accounting. I use ipfw for count internet traffic generated from my clients, and grep certain traffic to a 12-hourly email. (not good for high traffic clients)

    Firewalling is also good to prevent outgoing DoS attacks from your own clients - and if they do have shell access, preventing them from running certain services without your permission.

    Another thing regarding DDoS attacks -> I keep another set of IP's handy and have written software to change all IP routes in the case of my main server IP being attacked. That way I can drop the main IP, blackhole it, and go on about my business as usual with minor interuption.

    Hope this helps

  18. #18
    Hosticle - If I disable any ports I'm not using, if I don't want to use a firewall for traffic info, and if none of my clients will have shell access, does a firewall still provide additional security/benefits assuming I'm securing the server in all of the other ways mentioned?

    I don't want to skimp on security at all, but I don't want to add a redundant level of security. I understand that some people are going to use different tools to accomplish the same ends. That's why I mentioned we'll be disabling ports without using a firewall.

    Steve

  19. #19
    Join Date
    Apr 2002
    Location
    AU
    Posts
    1,048
    Depends

    If your server is well configured, and will not allow clients to exectute or attempt any outgoing attacks - you dont need one

    One other point is, with the SSHd listening all the time, there is nothing to say that if vulnerable, you may find someone with root access on your box. Also, it will accept connections from any source - unless you change it in your conf files.

    There is no need to get a firewall if you are certain that your server is secure.

    If you keep to the latest version of your services and have hard-to-guess passwords you should be fine.

    Just make sure your passwords are over 8 chars in length and you change them regularly.

    I have come across some MD5 password crackers, and have found that passwords less than 8 chars in length can be cracked within about 3 weeks of CPU time.

    The bottom line is, if you dont make yourself a target, you wont be likely to be taken out.

  20. #20
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,205
    Originally posted by weblined

    2 - I'm still concerned about patching the OS once the server's been taken over by Plesk. Does anyone who uses Plesk have experience with this? The sales rep at RackSpace indicated that they notify customers when patches are available, recommend which patches to install (based on Plesk's recommendations), and install patches upon request.
    Can't help you with that, but I am under the impression most patches won't affect how Plesk works...I would recommend asking this question in the Plesk forum (http://forum.plesk.com/) to make sure you get a definitive answer.


    3 - If this was answered already, my apologies, but what is a good log checking software.
    The only one I have experience with (and happen to really like) is LogSentry: http://www.psionic.com/products/logsentry.html



    I still have a few security questions:
    Do I need virus protection software on the server? If so, will it run with Plesk on the server?
    Virus protection is debatable...If users do not have root access, and file permissions are set up correctly, there is very little damage a virus can do on a Linux/BSD server -- it is also unlikely that a server with proper security precautions will be infected. Some prefer virus checkers for mail service, but that is more for your customers' benefit than server security.

    Personally, I don't think a virus scanner on a *nix hosting server is worth the extra CPU cycles, others may differ.


    Are there other ways to secure the server (not including the 6 items above and firewalls)?
    I hope so , if I have all the answers I should be making a lot more money .


    What kind of attacks do I need to worry about? Where can I find more information on them? And, how likely are they?
    DDoS attacks are pretty common...one of your customers pisses off someone so they DoS you. Not a lot you can do about that. Better to have your upstream provider handle it for you.

    Another common one is web page defacement, these usually take advantage of weak CGI permissions, or Front Page extenstions. Monitor permissions closely (I recommend creating a cron job that examines file permissions on the server, and sends you a report with any files that have weak permissions so you can contact the user). Don't install FP extensions unless you absolutely have to.

    Mail relay attacks using formmail type scripts is common...it might not be a bad idea to have secure versions of common CGI scripts on hand for your customers to use.

    How likely they are depends on how well you are known. The bigger you get the more likely you are to be attacked...on the other hand smaller hosts are often targeted because attackers don't think they will notice, and a smaller host might be easy pickens.

  21. #21
    Originally posted by weblined
    One more question:

    I'm not discounting the folks who are recommending a firewall. But, what kind of protection would a firewall offer that the other methods described in this thread don't? Specifically, what benefits would I get from running a firewall on a server whose primary purpose is web hosting?

    Thanks again,
    Steve
    Many firewalls also offer protection against SYN floods and IP spoofing. Also, you can't block IP addresses without a firewall, or access to a router.

    Sure, I agree, it's best to have your upstream provider take care of that. But you want to have a backup solution in place also, in case you are unable to contact your provider, or they are late responding.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •