7

I'm going to try deploying my first web app soon, so my experience is lacking. I remember reading somewhere that port scans by bots happen within minutes of being exposed to the internet (maybe that's how long it takes for a windows 95 system to get compromised, it's been a while since I read the article). This particular server is running Ubuntu 9.10 server edition on amd64.

The web app itself should be entirely over https, as per this question I just asked here. In addition, the website has a file upload section, now done through http post, and that file is eventually farmed out through a separate (wireless, unfortunately) interface to another computer to handle actual processing.

So, on the actual network interface exposed to the world, I'm thinking that ports 80 and 443 should be exposed, and nothing else. As I said before, 80 should redirect to 443. Is that sane? Is there something else I don't know, some other port I should have active? The files are moved to the processing system using ruby DRb over ports 9000 and 9001, so those need to be open as well, but only on the second interface.

Also, what firewall program should I be using to handle two network interfaces like this? There are a few listed here, but I'm not sure which is appropriate for serving web pages, or even if this is a special case at all.

Community
  • 1
mmr
  • 369
  • 2
  • 6
  • 18

2 Answers2

4

sounds about right, if you're serving https only, then that's the one that you need to leave open. however, only application started with a root account can listen to ports below 1024, so you have two options here:

  • start your ruby app as root - not a good idea
  • have it behind apache - might be better, but depends on what you want to do, this may be just an additional overhead
  • run ruby app as other user on different port, say 8443 and have iptables to portforward requests from 443 to 8443 - this i guess is what you want to do

below is how you do port forwarding (you can do the same with 80 to 8080, for example):

iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

other than that, there's no need to open any other ports to the internet, just make sure you leave ssh on the other interface open, so you can access and manage the server.

as for firewall application, iptables comes with ubuntu and just use it, no need for any other fancy tool i'd say.

rytis
  • 2,382
  • 1
  • 18
  • 13
2

You are right in that only ports 80/443 need to be exposed. Everything else should be closed. You will need your firewall to do a few things.

  1. Connection limit and rate limit. You want your firewall to be able to slow things down in the event of a DDoS attack or repeated attempts at port-knocking or things like that.
  2. Block all unnecessary out-going traffic. This can help in case your machine is compromised as most bots need to connect to a remote command-and-control server.
  3. Block all other incoming ports. You should really still block everything else, just in case an attacker manages to install some app and opens up a back-door port.

Those are some thoughts. I don't have any specific software recommendations though. Maybe reading LARTC might help.

sybreon
  • 7,405
  • 1
  • 21
  • 20