Larvitz  Mar 14

You just provisioned a fresh Linux server. Within minutes, the SSH brute-force bots will arrive.

There are too many ways to build a firewall in Linux. I wrote a practical guide to the four major tools: iptables, nftables, firewalld, and ufw, including their mental models and deployable configs.

Also includes a deep dive into the "Docker Trap" (why Docker silently bypasses your default-deny rules) and how to fix it.

(And yes, I still spend the intro and conclusion reminding everyone that FreeBSD's PF is the undisputed king of packet filtering. Let's argue in the replies.)

Read it here: https://blog.hofstede.it/linux-firewalls-how-to-actually-secure-a-cloud-server-iptables-nftables-firewalld-ufw/

#Linux #Sysadmin #DevOps #Security #Netfilter #Docker #Networking

Linux Firewalls: How to Actually Secure a Cloud Server (iptables, nftables, firewalld, ufw)

A practical guide to the four major Linux firewall technologies - iptables, nftables, firewalld, and ufw. Covers real-world cloud server hardening with concrete examples, from locking down SSH to b...

Larvitz Blog
Show threadCMDR Yojimbosan 🅅⁂Mar 14
@Larvitz `ssh` should not be facing the Internet these days for the vast majority of users, even though by default it usually makes secure choices (like, no root user and keys instead of passwords). Your VPS should come with console access, which can be used for initial configuration and emergency access. You can then choose to set up management access via some separate network, probably a VPN.
Show threadLarvitz  
@yojimbo Often, yes. But in the scope of my Blog post, that's just a prominent example. The conent is more about linux packet filters and firewall technologies in general. And there's many more potential use-cases for that.
Mar 14 at 11:42pmWeb
Show threadCMDR Yojimbosan 🅅⁂Mar 15

@Larvitz You're not wrong; and an exposed ssh port has been ubiquitous for many yeahs, so it makes for a good example.

These days I tend to argue the other way around - the host firewall should be involved in blocking outbound traffic as it's primary job. There's no need to block inbound traffic, as there should be no services on "unwanted" ports. Network-level firewalling is a different beast though.