All we need is an easy explanation of the problem, so here it is.
I have recently installed a Magento on Ubuntu 14.04 on Digital Ocean and I’m wondering what ports should I filter to keep it safe. Well, actually the question should be: what ports I keep open to the internet?
A list of ports, identified with they should be
outbound, would be enough. A better answer would be a list of
iptables commands to secure the server 🙂
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
So, I am going to assume that your server does nothing except ecommerce. Therefore, the only ports you need are:
80 – Default HTTP, so that you can accept connections and redirect to…
443 – SSL / TLS for secure transactions.
SSH, but… it’s better to choose a high random port instead of the standard 22.
Put SSH on a high random port
In /etc/ssh/sshd_config, change the port directive to a high random port. You can manually choose an “Unassigned” port from the IANA list of ports, or, you can be lazy and use a script I wrote that downloads the current port list, finds the unassigned ports, and randomly picks one for you.
This doesn’t necessarily “increase security,” but lowers the number of probes that are looking for low hanging fruit on 22.
For the sake of argument, let’s say you have chosen 32637 as the port. This is important in the latter part of the answer.
Firstly, we need to do this as a script so that it can be completed at once.
Here’s a gist for you to lock down the server. But the code is also below:
#!/bin/bash #Default deny iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT #Allow established sessions iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT #Allow localhost iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #Allow tcp/80 (HTTP) iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT #Allow tcp/443 (HTTPS) iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT #Allow SSH on our random port iptables -A INPUT -p tcp --dport 32637 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Here’s how it works:
- We start by default blocking everything from everywhere. Since you are running eCommerce and only need 80 and 443, we default block everything else.
- Next we allow established sessions to remain active and work. This is so we don’t disconnect ourselves during the process. But it’s also useful for sessions that will be established later to remain established.
- Next, we allow localhost. I assume you’re talking to a DB server (MySQL?) for Magento.
- The last three rules explicitly allow 80, 443, and 32637, which are HTTP, HTTPS, and SSH on our high random port configured above.
And, of course, if you want to reset iptables, here you go:
iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
inbound or outbound
Everything above is inbound.
Regarding outbound blocking: here, we are assuming that your server is not compromised, will need to send email confirmations, and is otherwise well maintained. There is no outbound blocking. If your server is clean and well run, there’s really no reason to do that.
Unless you have a reason… but a default Magento (web application installation) that is properly maintained and secured doesn’t really need it because it should not be sending out rouge connections, scans, or requests.
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂