Newbe: setting up firewall
Posted: 06 Nov 2023, 15:49
Hi all,
On my VPS I use:
- WHM/cPanel v114.0.11
- CloudLinux v8.8.0
- Plug-in: ConfigServer Security & Firewall - csf v14.20
I am a beginner.
On my VPS I host several websites for others. Also, the VPS serves as a mail server.
Part 1:
I perform all management tasks for my VPS from 1 fixed IP address for example xxx.xxx.xxx.xxx.xxx. This IP address should never be blocked and all ports should always be accessible.
Part 2:
For security reasons I want to make only the necessary ports accessible for if are accessed from all other IP addresses.
I think the following ports should be accessible;
- websites: port 80 and port 443 (http and https)
- mail incoming: 143 and 993 (SSL)
- mail outgoing: (IMAP only), 465(SSL), 587 (TLS) (not port 25 for security reasons)
--------------------------------------------------------
Possible solution Part 1?:
To achieve that I can always access the VPS from my fixed IP address which is never blocked I would have to do the following:
Either
- add the IP address to the csf.allow file
- Add the IP address to the file csf.ignore
Or
- add the IP address to the file csf.allow
- and enable the IGNORE_ALLOW option in csf.conf
OR
- add the following line in csf.conf under 'Allow incoming TCP ports':
tcp:in:d=1_65535:s=xxx.xxx.xxx.xxx.xxx
Which is the best way?
Possible solution Part 2?:
To block all ports for all other IP addresses except ports:
80,443,143,993,465 and 587
- add the following line:
tcp:in:d=1_79,81_142,144_442,444_464,466_992,993_65535
a) Is this correct?
b) Where should I place this line?
c) should any other ports be open?
d) should I use the same rule for udp?
Thank you in advance,
On my VPS I use:
- WHM/cPanel v114.0.11
- CloudLinux v8.8.0
- Plug-in: ConfigServer Security & Firewall - csf v14.20
I am a beginner.
On my VPS I host several websites for others. Also, the VPS serves as a mail server.
Part 1:
I perform all management tasks for my VPS from 1 fixed IP address for example xxx.xxx.xxx.xxx.xxx. This IP address should never be blocked and all ports should always be accessible.
Part 2:
For security reasons I want to make only the necessary ports accessible for if are accessed from all other IP addresses.
I think the following ports should be accessible;
- websites: port 80 and port 443 (http and https)
- mail incoming: 143 and 993 (SSL)
- mail outgoing: (IMAP only), 465(SSL), 587 (TLS) (not port 25 for security reasons)
--------------------------------------------------------
Possible solution Part 1?:
To achieve that I can always access the VPS from my fixed IP address which is never blocked I would have to do the following:
Either
- add the IP address to the csf.allow file
- Add the IP address to the file csf.ignore
Or
- add the IP address to the file csf.allow
- and enable the IGNORE_ALLOW option in csf.conf
OR
- add the following line in csf.conf under 'Allow incoming TCP ports':
tcp:in:d=1_65535:s=xxx.xxx.xxx.xxx.xxx
Which is the best way?
Possible solution Part 2?:
To block all ports for all other IP addresses except ports:
80,443,143,993,465 and 587
- add the following line:
tcp:in:d=1_79,81_142,144_442,444_464,466_992,993_65535
a) Is this correct?
b) Where should I place this line?
c) should any other ports be open?
d) should I use the same rule for udp?
Thank you in advance,