Firewall or other security

cs10 · August 13, 2016, 9:52pm

Hi All,
I’ve been running a server with virtualmin installed for a good while now with very few issues.

I’m running CentOS 7 64 bit.

I’m just making sure I’m secure really so have a question.

When I check out Networking -> Linux Firewall, I get taken to a screen that says “No iptables bootup action was found, indicating that the IPtables package is not installed on your system”.

If I choose FirewallD, it says: Failed to list zones : e[91mFirewallD is not runninge[00m

Can I ask for advice on what is the best thing I can do to secure the server as much as possible?

Thanks in advance,
Craig

Joe · August 13, 2016, 11:14pm

So, you’ve got a couple of obvious options. One would be to setup iptables (more flexible and, I think, more useful, on servers, but also more complicated), the other would be to start firewalld. Webmin has a module for either; there’s also a CSF module for Webmin, but that may be overkill for your needs. I usually use iptables, because I know it really well, and it is flexible and powerful enough for everything I need.

Firewalld is the new management service used, by default, in CentOS 7 and recent versions of Fedora. It is integrated with systemd, which allows it to dynamically apply rules based on what’s running, and the network your system is connected to (e.g. if you have a wired network at work and a wifi network at home, the firewall can act differently in either case). But, for servers, the additional features are pretty much extraneous and may even get in the way. For a server, you mostly just want to say, “Open these ports, and leave them open forever, because I have services running on them.”

I’m surprised firewalld isn’t already running; I though it was on by default on a CentOS 7 system. The fact that it’s not running might mean it didn’t get new rules added when Virtualmin was installed. Our installation detects which firewall you have (whether iptables or firewalld on CentOS) and inserts the rules in needs for all of the services it manages. You can, of course, customize those rules at any time in the Linux Firewall or Firewalld module.

Here’s a good post about iptables on CentOS 7, if you want to go with iptables:

http://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-centos-7

If you wan to use firewalld, just restart the firewalld service. Webmin should then let you edit the rules normally.

Anyway, when turning on a firewall for the first time, you should make sure it’s not going to lock you out; at the very least, make sure the starting rules are going to allow you to login via ssh, so you can fix it if anything goes wrong.

cs10 · August 14, 2016, 7:29am

Hi Joe,
Thanks for the reply!
I think I’ll go down the FirewallD route.

So I can easily enable this I think by using systemctl enable firewalld and systemctl start firewalld, however, I’m a bit bothered about your last paragraph about locking myself out!
How can I prevent that?

I’ve altered the default webmin port so do I need to add this somewhere?

Thanks very much,
Craig

Joe · August 14, 2016, 8:02am

You can use the firewall-offline-cmd to work with firewalld rules when the service is not running. I’m pretty confident port 22 (ssh) is open, no matter what, in a default configuration, so that’s probably not a big fear…but, just in case.

https://twoerner.fedorapeople.org/firewalld/doc/firewall-offline-cmd.html

You could also just start the service without enabling it. Then, if you got locked out, you could have your server rebooted and get back in with the firewall not running again, presumably.

unborn · August 14, 2016, 9:52pm

you may have look at this as well… https://www.virtualmin.com/comment/759610#comment-759610 …I mean you can apply few steps from that list as an prevention

cs10 · August 19, 2016, 7:53pm

Hi there,
I enabled firewalld, but it stopped all websites from working, they just timed out.
I presume I have to make some configuration through webmin, but even this started to time out.

For now, I’ve had to disable it.

Any tips?
Thanks,
Craig