Usit firewall
TBA.
Table of contents
Introduction
A firewall is a system that provides network security by filtering incoming and outgoing network traffic based on a set of user-defined rules. In general, the purpose of a firewall is to reduce or eliminate the occurrence of unwanted network communications while allowing all legitimate communication to flow freely. In most server infrastructures, firewalls provide an essential layer of security that, combined with other measures, prevent attackers from accessing the server in malicious ways.
For a web server, we only want to allow remote login (ssh) from a limited range of IP-addresses, and for web clients to connect on the standard web ports (http and https). Everything else should be blocked.
Sources:
The ports to keep open:
22 : ssh 80 : http 443 : https
Drush uses wget to download projects. Wget uses http and https so a firewall that keeps these ports open will not interfere with normal operations to keep the site up to date.
Firewalld
The THEL7 firewall service (firewalld) is installed on the system by default. Use the firewalld CLI interface (firewall-cmd) to check that the service is running.
Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. You manage firewall rules for each zone independently, which enables you to define complex firewall settings and apply them to the traffic.
To list the zones available on your system:
$ sudo firewall-cmd --get-zones backup block dmz drop external home internal public trusted work
To list the currently active zones and the interaces assigned to them:
$ sudo firewall-cmd --get-active-zones backup sources: 129.240.2.160/27 2001:700:100:8200::/64 public interfaces: ens192
This response indicates that the firewall only allow connections
from the public on an intercface known as ens192
.
-------------------------
If you're unable to access the web server at this point (to see the default Apache screen), and instead see some message from your browser that typically tells you that the server takes too long to respond, the problem may be that port 80 is blocked by the firewall. You can use the following command to check the status of the firewall setting:
$ sudo iptables-save | grep 80 -A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
If line shown above is part of the output from the command, port 80 is not blocked by the firewall. If you the output is empty just some text that is unrelated to port 80, the firewall is set up to disable http access. If so, change firewall rules to enable port 80/tcp:
$ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent success $ sudo firewall-cmd --reload success
If you plan to use the database from a remote server, you need to permit connections through the firewall:
$ sudo firewall-cmd --permanent --add-service=mysql success $ sudo firewall-cmd --reload success $ sudo firewall-cmd --list-all public (default, active) interfaces: eno16780032 sources: services: dhcpv6-client mysql ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
---
To autheticate users and to grant access to the database, phpMyAdmin allows four different authentication methods:
- cookie – Prompts for MySQL credentials using its own authentication scheme (default if using
dbconfig-common
). - http – Prompts for MySQL credentials using HTTP basic authentication.
- signon – Uses an external (SSO) application for authentication via a prepared PHP script.
- config – MySQL username and password stored in clear text in the configuration file.
The config method should only be used if the if the server
running phpMyAdmin is placed behind a firewall in a secure
environment, or some other authentication (such as an Apache
.htaccess
) is used to limit access. Otherwise, it is not
only dangerous because the MySQL username and password stored in clear
text, but also because it does not password-protect phpMyAdmin or the
database. Anyone who can access the correct URL is
logged directly in and can manipulate the database.
For some distributions (not the default distribution for RHEL7) of MySQL and MariaDB the default security model requires sudo for dbuser root to log in (i.e. phpMyAdmin will not be able to log in as root). Workarounds are discussed on StackOverflow, but it is safer to keep the default security model.
XXXXX
UFW, or Uncomplicated FireWall, is an interface to iptables (i.e. the standard program to mange the tables implemented by the Gnu/Linux kernel firewall). UFW is geared towards simplifying the process of configuring a firewall. While iptables is a solid and flexible tool, it can be difficult to learn how to use it to properly configure a firewall. UFW is easier to work with.
UFW is installed by default on Ubuntu. If it is not for some reason, you can install it with the following command:
$ sudo apt install ufw
To check its status, you may use the following command:
$ sudo ufw status verbose Status: inactive
If the status is inactive, even if rules are defined, the status command will not let you see them.
However, this command will:
$ sudo ufw show added Added user rules (see 'ufw status' for running firewall): (None)
The above indicates that no rules have been added yet.
If
you get a warning about duplicate apache profiles, navigate
to /etc/ufw/applications.d
. You will probably find two
identical apache profiles. Remove apache2.2-common
.
Setting up default policies
By default, UFW is set to deny all incoming connections and allow all outgoing connections. But to make sure the UFW rules are set to the defaults before we start adding new rules, do the following:
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
Allowing incoming connections
To allow incoming connections using ssh and web, do:
$ sudo ufw allow ssh $ sudo ufw allow http $ sudo ufw allow https
To get an overview over rules added:
$ sudo ufw show added Added user rules (see 'ufw status' for running firewall): ufw allow 22/tcp ufw allow 80/tcp ufw allow 443/tcp
Enabling the firewall
To see the status of the firewalld service:
$ sudo firewall-cmd --state running
For more information about the status, use systemctl:
$ systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; … Active: active (running) since Sun 2020-10-04 08:05:15 CEST; 50min ago Docs: man:firewalld(1) Main PID: 807 (firewalld) CGroup: /system.slice/firewalld.service └─807 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
The firewalld service can be stopped by a following command:
$ sudo service firewalld stop Redirecting to /bin/systemctl stop firewalld.service
A stopped firewalld service will start again after system's reboot. To start firewalld service without rebooting, use:
$ sudo service firewalld start Redirecting to /bin/systemctl start firewalld.service
To check all currently applied rules use:
$ sudo iptables-save
This produces a lot of output. To check for specific ports, use:
$ sudo iptables-save | egrep '22|80|443' -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
If lines shown above is part of the output from the command these ports are not blocked by the firewall. If you the output is empty just some text that is unrelated to the portd, the firewall is set up to disable access. To, change firewall rules to enable port 80/tcp:
$ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent success $ sudo firewall-cmd --reload successxxxx
To enable UFW, use this command:
$ sudo ufw enable Command may disrupt existing ssh …. Proceed with operation (y|n)? y Firewall active and is enabled on system startup
The warning that says the command may disrupt existing means that your current connection may go dead. However, as long as there is a firewall rule that allows ssh connections, you will be able to log in again.
You may disable UFW with the following command:
$ sudo ufw disable Firewall stopped and disabled on system startup
When the firewall is active, the following command will tell you what rules that are set:
$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 443/tcp ALLOW IN Anywhere 22/tcp (v6) ALLOW IN Anywhere (v6) 80/tcp (v6) ALLOW IN Anywhere (v6) 443/tcp (v6) ALLOW IN Anywhere (v6)
Adjusting permissions
If you want to allow a subnet of IP addresses, you can do so using CIDR notation to specify a netmask. For example, to allow access on port 22 for all addresses starting with “129.240” (but no other) you may specify that using this format: “129.240.0.0/16”. You also need to delete the rule that allows connections to port 22 from anywhere. The following sequence of commands accomplish this:
$ sudo ufw allow from 129.240.0.0/16 to any port 22 $ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 80/tcp ALLOW IN Anywhere [ 3] 443/tcp ALLOW IN Anywhere [ 4] 22/tcp ALLOW IN 129.240.0.0/16 [ 5] 22/tcp (v6) ALLOW IN Anywhere (v6) [ 6] 80/tcp (v6) ALLOW IN Anywhere (v6) [ 7] 443/tcp (v6) ALLOW IN Anywhere (v6) $ sudo ufw delete 1
The order of commands is significant, if you delete the first port 22 rule before adding the one with a restricted IP range, you will lock yourself out.
To learn the public IP-adress of the PC your browser runs on, visit WhatIsMyIPAddress.com.
To learn a web server's public address from the CLI, type:
$ hostname -I 138.68.64.125
Check current IP-address for HNM-PC: whatismyipaddress.com. History:
IPv4: 77.16.60.64 (2020-01-30) IPv4: 77.16.61.93 (2020-01-31) IPv4: 77.16.217.106 (2020-03-29)
I.e.: The IP-address assigned by Telenor seems to change pretty randomly.
These are the IP-addresses I currently whitelist:å>
91.205.187.70 (pvn.no) 138.68.64.125 (do18) 138.68.64.217 (do19) 167.172.177.32 (do20) 129.240.0.0/16 (UiO) 77.16.0.0/16 (HNM-PC - Telenor) 77.18.0.0/16 (HNM-PC - Telenor)
Final word
[TBA]
Last update: 2018-11-06 [gh].