• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Firewall hardening

CoyoteKG

Regular Pleskian
Hi,

I know it is pretty simple to use Plesk firewall, but I need advice for 3 rules.
This is webserver with few sites, and access to SSH, FTP, MySQL I allowed only from few IP addresses.
Mail ports should be open, and also WWW.
I wan't to close everything else, but I'm not sure can I safely do that with

Domain name server Allow incoming from all
IPv6 Neighbor Discovery Allow incoming from all
Ping service Allow incoming from all

Should I block it, I believe that Ping and Neighbor discovery can with no problem, but what about DNS? What is purpose of this rule?
For domains for these websites hosted on server, I using nameservers from provider where we bought domains.

This is status of current iptables
iptables.JPG
 
Hi Coyote,

if you are not running any DNS service on the server, then you can just block it indeed.
IPv6 can be blocked if you are not on a IPv6 enabled network. (Then you won't have any IPv6 neighbours ;-) )
I always block ping
 
Hi Dennis, thx for suggestions :)
However for hardening I'd look into a few other options as well:
fail2ban (aditional actions taken against violations *login fails, or custom rules*), mod_security (webserver security), mod_evasive (webserver security) and there are a load more :)
 
I already using fail2ban and mod_security, but did not know about mod_evasive. I will read more about this :)
 
Personally I'm running on a Ubuntu server and I'm using a geolocation based on IP to determine beforehand if the connection is allowed.
Afterwards the fail2ban will come into play (for SSH and FTP MySQL connections as an example)
If it pops up some interests, have a look here : Limit your SSH logins using GeoIP » Axllent.org
p.s. this does not work for CentOS and maybe other linux distributions (I'm not sure, I went to Ubuntu for this reason)
 
Back
Top