Is a firewall enough of a security measure for an Ubuntu server that hosts a website?

Question

I recently got a VPS with Ubuntu on it, and I'd like to start creating a very basic website. However, I don't know what steps I should take to secure this server.

I'm new with Ubuntu, new with security and new with creating websites (the website will probably be just HTML, CSS, Django/Python and some database).

My biggest concern is that some hacker could try to use it as a zombie and I won't know. Or that robots could try to log in and sneak at whatever data I'll store on that machine and I won't know. Or who knows what else.

I found the firewall information page on the Ubuntu website, but will that be enough ?

P.S.: If it's impossible to give an answer, I'd also appreciate a book/website recommendation for Ubuntu and security complete beginners

Answer 1

Is a firewall enough of a security measure for an Ubuntu server that hosts a website?

Given the technologies you want to use you want to create a dynamic database-backed website without having any experience with this. This kind of setup is typical for easy too exploit sites: database-backed often allows SQL injection, insecure uploads might allow code execution etc. The normal packet filter firewall on Linux will not protect against any of these application-level attacks, i.e. a firewall is not enough of a security measure.

With the level of experience you currently have I strongly recommend to not create some dynamic application which is accessible (and potentially exploitable) by anybody. If this is just for your own or some selected users you might try to password protect the site using the established mechanism the web server has (i.e. htpasswd or similar) to at least limit the attack surface by limiting who can access your website.

I'd also appreciate a book/website recommendation for Ubuntu and security complete beginners

To learn more about web security you might start with the Top 10 Web Application Security Risks. In general, this is unfortunately a fairly complex topic so don't expect to be quickly sufficiently familiar with it.

Answer 2

A firewall is never enough, it is the bare minimum. Then having an IDS of some sort is desirable. For example if your SSH port is exposed you should block brute-force attacks, even if you have a strong password. A typical server on the Internet is probed, attacked hundreds, thousands of times a day. I know, from all the alerts I receive in a single day and just by reading the logs. By the way, security can easily become a full-time occupation. And if you have logs but never read them, you could miss something.

If you are going to build a website from scratch I think the biggest danger comes from your own code. Your biggest enemy is you, if you don't know what you are doing. For example if your code allows SQL injections, then ufw will not protect you. Using a framework should help you avoid some rookie mistakes but does not guarantee quality of code. You need to learn best practices and how to write secure code. The framework will not teach you that.

Since you've mentioned Python I suggest pylint to test the quality of your code. There are other tools, like Bandit or Mypy for more specific checks.

A WAF (web application firewall) could be beneficial too but will require some tuning to be effective without being too restrictive.

There are lots of things you can do to reduce your attack surface. Google: "Linux hardening". If I had to recommend a book it would be Hacking exposed for a comprehensive overview.

One important thing is to keep your system up-to-date. Vulnerabilities are found all the time, and sometimes 0days too so you have to react quickly to download an upgrade or a patch (one recent example that comes to mind is Exim). So I strongly advise to subscribe to a few mail lists, websites or blogs about computer security to keep on top of news.

Equifax was hacked due to a flaw that had been patched a few months earlier. Their procrastination cost them dearly. Not maintaining your system increases the risk considerably. All it takes is one exploitable flaw.

Finally, I would advise you to pentest yourself. To test for SQL injections SQLmap is a great tool. But to achieve best results you need to understand how the tools work, just running them with default options will most of the time not suffice to find flaws (unless the site is very poorly coded). Sometimes, webmasters leave sensitive files on their server like SQL backups, because they forgot to delete the file after restoring a database. A directory listing could reveal the presence of files that should not be there.

Many websites have a phpmyadmin directory, and no protection whatsoever against brute-force attacks. So a hacker could gain access to your database this way. If you really want to have phpmyadmin on the server, at least don't use a predictable directory name, and restrict access so that it's not exposed to the whole word for zero benefit.

Answer 3

Ingress: Your website will be open to the world on tcp ports 80 and 443. You may also need to open up some other ports to allow you to manage the website (tcp port 22 for ssh for example, although you can limit the source to your management station). That means your webserver will be open to application level attacks on those ports. So test those ports for application level vulnerabilities.

Egress: If someone manages an application level attack against your webserver they can trick it into making an outbound connection to allow remote control. So it is good to limit egress connections from your webserver.

You will probably need egress port 53 (DNS). You may need some egress to grab patch updates (ideally you can make the destination IPs specific). Depending on your application you may need some egress access to access data or authentication resources.

Answer 4

A single firewall is not enough because you need to have multiple defensive layers security to harden the whole solution or system from different types of attacks in the OSI layers.

My suggestion is the following setup.

• The server should behind IP firewall with NAT applied and Web application Firewall.
• Remove all the unnecessary services on the servers.
• Change default passwords.
• Close unnecessary ports.
• Open only 443 and with TLS.
• Regularly patch your web server.
• Pentest your Web site and server at least once a year.
• DDOS/DOS solution will also help.

The documents below from NIST will help you apply extra security measures. https://csrc.nist.gov/publications/detail/sp/800-44/version-2/final\ https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf

Answer 5

A firewall does next to nothing on a typical VPS.

What makes a server vulnerable? Having a buggy application that accepts connections from the outside and that can be exploited to gain unauthorized access.

What does a firewall do? It intercepts packets based on rules such as source IP address, destination port etc. Is this information sufficient to drop malicious packets while not interfering with legitimate ones? No, unless the attackers are considerate enough to follow RFC 3514 (note publication date).

The uses of a firewall are marginal, it protects against accidentally misconfiguring an application to be reachable from the outside when it was intended to be only visible to other applications on the same server, it can be invoked by fail2ban to blacklist users whose activity is deemed unwelcome by application-specific rules etc.

The security of a typical VPS primarily depends on what applications it runs and how these are configured, not on its firewall.

Answer 6

No it is not, as others have responded.

Depending on what you want to achieve, you could consider a static website, or a Single Page Application.

If you need to expose them to the world, you can host these for free, as a learning experience, on some platforms such as Netifly or GitHub or GitLab Pages (there are many more, I am not affiliated with any of these but used them with success and pleasure).

This will help you to learn about HTML, CSS, JavaScript and some automation, in a safe maneer.

There are downsides (no server-side generation), you still can reach for some data (by fetching from APIs) - all this can actualy be a good way to learn security.

Answer 7

No, and a firewall should not be your main concern

You cannot rely on a firewall to magically improve your server's security. Here is my concern: A firewall may give you a false sense of security. A firewall limits the ways your system can communicate. But wait – your system should not even try to communicate in ways you do not want it to. In my opinion, you should focus on configuring the services rather than fine-tuning a firewall.

To achieve this, you need to configure all your services properly. For example, some internal services can limit connections to the local system by listening to localhost instead to 0.0.0.0 (everyone). The database can use local unix sockets. All SSH-servers and web-servers I ever worked with have sensible default settings. Use sensible passwords. Keep the frameworks updated. If you want extra security, limit the applications' write access or even use something like apparmor to keep an eye on the applications' behaviour.

In the moment your server opens up a port to offer a service not authorized by you, you are already in trouble. Have malware on your server which establishes malicious outbound connections? You have already lost. An attacker who managed to run unsolicited code on your machine will surely find his way around your firewall soon. You do not want any of these things to happen in the first place, so configure considerately.
Imagine your room is on fire. You don't close the door and say "this is a sturdy door, the fire is safely contained within" – you need to put out the fire.

A firewall may be useful for protecting networks, but a single server can do without. To me, the habit of protecting single systems with software-firewalls looks like a Windows 2000 thing with the operating system itself exposing insecure services.

Update: I assume you intend to host a small private site. Let's assume there is an exploitable mistake in the code in an application of yours or in one of the frameworks/applications used. This is what can happen according to my imagination:

• data leak: an attacker obtains information which should remain hidden
• data modification: an attacker manages to change the data on your site, possibly using it for malicious intent (e.g. phishing)

• remote code execution: an attacker manages to execute his arbitrary on your machine, including but not limited to:

  • do any of the above
  • offer an unsolicited service¹
  • attack other machines²
  • gain root access

According to @schroeder, maintaining a server includes efforts to mitigate attacks. With rules regarding inbound traffic, a firewall can easily stop 1 – unless the attacker uses UDP sockets. A firewall can also mitigate 2, but you would need to configure the firewall painstakingly to disallow outbound connections without disrupting wanted functionality such as update mechanisms. In case the attacker gains root access, he simply can disable the firewall, making all efforts academical.

A firewall protects other systems more than it protects your own system, data or users. It is up to you whether you want to put in the effort for the security of others. It is more interesting for network administrators or server farms than for the personal server. Focus on the applications themselves more than on the firewall.

Answer 8

House Keeping:

• Firewall
• Bullproof- PHP-MysqlCode
• Close all unused ports

• Your Apache and PHP bins should have write/read/execute permissions, to the right folders

• google:'secure apache server'

• google:'linux secure networking'; // commands
• google:'linux exploits' and everything related to linux root scanner.

It's actually an inception of Linux and frontend coding, it can't be enough. So just maintenance and vlog tech exploit reading.