Usit firewall

TBA.

Table of contents

• Introduction
• Final word

Introduction

A firewall is a system that provides network security by filtering incoming and outgoing network traffic based on a set of user-defined rules. In general, the purpose of a firewall is to reduce or eliminate the occurrence of unwanted network communications while allowing all legitimate communication to flow freely. In most server infrastructures, firewalls provide an essential layer of security that, combined with other measures, prevent attackers from accessing the server in malicious ways.

For a web server, we only want to allow remote login (ssh) from a limited range of IP-addresses, and for web clients to connect on the standard web ports (http and https). Everything else should be blocked.

Sources:

• DO: What is a firewall
• DO: ufw
• DO: ufw essentials

The ports to keep open:

 22 : ssh
 80 : http
443 : https

Drush uses wget to download projects. Wget uses http and https so a firewall that keeps these ports open will not interfere with normal operations to keep the site up to date.

Firewalld

The THEL7 firewall service (firewalld) is installed on the system by default. Use the firewalld CLI interface (firewall-cmd) to check that the service is running.

Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. You manage firewall rules for each zone independently, which enables you to define complex firewall settings and apply them to the traffic.

To list the zones available on your system:

$ sudo firewall-cmd --get-zones
backup block dmz drop external home internal public trusted work

To list the currently active zones and the interaces assigned to them:

$ sudo firewall-cmd --get-active-zones
backup
  sources: 129.240.2.160/27 2001:700:100:8200::/64
public
  interfaces: ens192

This response indicates that the firewall only allow connections from the public on an intercface known as ens192.

-------------------------

If you're unable to access the web server at this point (to see the default Apache screen), and instead see some message from your browser that typically tells you that the server takes too long to respond, the problem may be that port 80 is blocked by the firewall. You can use the following command to check the status of the firewall setting:

$ sudo iptables-save | grep 80
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

If line shown above is part of the output from the command, port 80 is not blocked by the firewall. If you the output is empty just some text that is unrelated to port 80, the firewall is set up to disable http access. If so, change firewall rules to enable port 80/tcp:

$ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
success
$ sudo firewall-cmd --reload
success

If you plan to use the database from a remote server, you need to permit connections through the firewall:

$ sudo firewall-cmd --permanent --add-service=mysql
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --list-all
public (default, active)
  interfaces: eno16780032
  sources: 
  services: dhcpv6-client mysql ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

---

To autheticate users and to grant access to the database, phpMyAdmin allows four different authentication methods:

1. cookie – Prompts for MySQL credentials using its own authentication scheme (default if using dbconfig-common).
2. http – Prompts for MySQL credentials using HTTP basic authentication.
3. signon – Uses an external (SSO) application for authentication via a prepared PHP script.
4. config – MySQL username and password stored in clear text in the configuration file.

The config method should only be used if the if the server running phpMyAdmin is placed behind a firewall in a secure environment, or some other authentication (such as an Apache .htaccess) is used to limit access. Otherwise, it is not only dangerous because the MySQL username and password stored in clear text, but also because it does not password-protect phpMyAdmin or the database. Anyone who can access the correct URL is logged directly in and can manipulate the database.

For some distributions (not the default distribution for RHEL7) of MySQL and MariaDB the default security model requires sudo for dbuser root to log in (i.e. phpMyAdmin will not be able to log in as root). Workarounds are discussed on StackOverflow, but it is safer to keep the default security model.

XXXXX

UFW, or Uncomplicated FireWall, is an interface to iptables (i.e. the standard program to mange the tables implemented by the Gnu/Linux kernel firewall). UFW is geared towards simplifying the process of configuring a firewall. While iptables is a solid and flexible tool, it can be difficult to learn how to use it to properly configure a firewall. UFW is easier to work with.

UFW is installed by default on Ubuntu. If it is not for some reason, you can install it with the following command:

$ sudo apt install ufw

To check its status, you may use the following command:

$ sudo ufw status verbose
Status: inactive

If the status is inactive, even if rules are defined, the status command will not let you see them.

However, this command will:

$ sudo ufw show added
Added user rules (see 'ufw status' for running firewall):
(None)

The above indicates that no rules have been added yet.

If you get a warning about duplicate apache profiles, navigate to /etc/ufw/applications.d. You will probably find two identical apache profiles. Remove apache2.2-common.

Setting up default policies

By default, UFW is set to deny all incoming connections and allow all outgoing connections. But to make sure the UFW rules are set to the defaults before we start adding new rules, do the following:

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Allowing incoming connections

To allow incoming connections using ssh and web, do:

$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow https

To get an overview over rules added:

$ sudo ufw show added
Added user rules (see 'ufw status' for running firewall):
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp

Enabling the firewall

To see the status of the firewalld service:

$ sudo firewall-cmd --state
running

For more information about the status, use systemctl:

$ systemctl status firewalld
  firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; …
   Active: active (running) since Sun 2020-10-04 08:05:15 CEST; 50min ago
     Docs: man:firewalld(1)
 Main PID: 807 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─807 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid  

The firewalld service can be stopped by a following command:

$ sudo service firewalld stop
Redirecting to /bin/systemctl stop  firewalld.service

A stopped firewalld service will start again after system's reboot. To start firewalld service without rebooting, use:

$ sudo service firewalld start
Redirecting to /bin/systemctl start  firewalld.service

To check all currently applied rules use:

$ sudo iptables-save

This produces a lot of output. To check for specific ports, use:

$ sudo iptables-save | egrep '22|80|443'
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

If lines shown above is part of the output from the command these ports are not blocked by the firewall. If you the output is empty just some text that is unrelated to the portd, the firewall is set up to disable access. To, change firewall rules to enable port 80/tcp:

$ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
success
$ sudo firewall-cmd --reload
success

xxxx

To enable UFW, use this command:

$ sudo ufw enable
Command may disrupt existing ssh …. Proceed with operation (y|n)? y
Firewall active and is enabled on system startup

The warning that says the command may disrupt existing means that your current connection may go dead. However, as long as there is a firewall rule that allows ssh connections, you will be able to log in again.

You may disable UFW with the following command:

$ sudo ufw disable
Firewall stopped and disabled on system startup

When the firewall is active, the following command will tell you what rules that are set:

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                 Action    From
--                 ------    ----
22/tcp             ALLOW IN  Anywhere
80/tcp             ALLOW IN  Anywhere
443/tcp            ALLOW IN  Anywhere
22/tcp (v6)        ALLOW IN  Anywhere (v6)
80/tcp (v6)        ALLOW IN  Anywhere (v6)
443/tcp (v6)       ALLOW IN  Anywhere (v6)

Adjusting permissions

If you want to allow a subnet of IP addresses, you can do so using CIDR notation to specify a netmask. For example, to allow access on port 22 for all addresses starting with “129.240” (but no other) you may specify that using this format: “129.240.0.0/16”. You also need to delete the rule that allows connections to port 22 from anywhere. The following sequence of commands accomplish this:

$ sudo ufw allow from 129.240.0.0/16 to any port 22
$ sudo ufw status numbered
Status: active

     To                 Action    From
     --                 ------    ----
[ 1] 22/tcp             ALLOW IN  Anywhere
[ 2] 80/tcp             ALLOW IN  Anywhere
[ 3] 443/tcp            ALLOW IN  Anywhere
[ 4] 22/tcp             ALLOW IN  129.240.0.0/16
[ 5] 22/tcp (v6)        ALLOW IN  Anywhere (v6)
[ 6] 80/tcp (v6)        ALLOW IN  Anywhere (v6)
[ 7] 443/tcp (v6)       ALLOW IN  Anywhere (v6)
$ sudo ufw delete 1

The order of commands is significant, if you delete the first port 22 rule before adding the one with a restricted IP range, you will lock yourself out.

To learn the public IP-adress of the PC your browser runs on, visit WhatIsMyIPAddress.com.

To learn a web server's public address from the CLI, type:

$ hostname -I
138.68.64.125

Check current IP-address for HNM-PC: whatismyipaddress.com. History:

IPv4: 77.16.60.64 (2020-01-30)
IPv4: 77.16.61.93 (2020-01-31)
IPv4: 77.16.217.106 (2020-03-29)

I.e.: The IP-address assigned by Telenor seems to change pretty randomly.

These are the IP-addresses I currently whitelist:

91.205.187.70  (pvn.no)
138.68.64.125  (do18)
138.68.64.217  (do19)
167.172.177.32 (do20)
129.240.0.0/16 (UiO)
77.16.0.0/16   (HNM-PC - Telenor)
77.18.0.0/16   (HNM-PC - Telenor)

Final word

[TBA]

---

Last update: 2018-11-06 [gh].