2

I plan to rent a dedicated server to host a commercial application, which should house esentially everything necessary to run on a single machine (frontend, backend, databases, analytics, backup systems, etc) for the time being. This is indeed a simplistic infrastructure, but I don't expect high amounts of traffic for now, so I believe it will suffice for the time being.

Now, I understand the same hour I put the server online I'm going to have malicious people trying to get root access to it, so obviously I would like to take care of this from day one. The question is, do I need a to rent a physical firewall, physical as in being a different machine, with this setting (which my provider offers, but at a cost of pretty much doubling the price), or will I be able to cover my ass with a software firewall (ie iptables and co), provided it is properly configured + I take as many "software" security measures/good practices as I can?

My networking/server administration experience is admittedly limited, but I'm very much willing and eager to learn as much as I'm able to manage the server/s on my own.

EEAA
  • 109,363
  • 18
  • 175
  • 245
Mahn
  • 201
  • 1
  • 7

2 Answers2

6

You really don't need a separate firewall for a single host; Linux iptables is more than sufficient to protect the server, and (if you run Red Hat/CentOS) will be on and reasonably secure by default.

The first thing you will want to do after the server is up is to make yourself a user account, and then secure ssh by denying root logins with a password. In /etc/ssh/sshd_config set either:

PermitRootLogin no

or:

PermitRootLogin without-password

if you want to be able to login as root with ssh keys.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • 1
    Also, installing Fail2ban and Logwatch is great for security (banning forcebrute authentications and generating activity logs) – Kedare Aug 28 '12 at 07:46
1

The kinds of factors that drive the need for a dedicated server don't necessarily correlate to volume of traffic or typically observed threats. A site with massive back end I/O requirements might hand out small amounts of tabular data to a handful of users. The decision to pursue a dedicated firewall should be approached in the same way. The other point, of course, is that adding a dedicated firewall later isn't (or shouldn't be) very invasive.

rnxrx
  • 8,143
  • 3
  • 22
  • 31
  • Thanks, can you elaborate on the factors one should consider to decide whether a dedicated firewall is the right fit? – Mahn Aug 24 '12 at 22:27
  • 1
    Volume and rate of traffic, external requirements for physical separation of administrative functions (driven by auditors, PHB's, etc), risk/frequency of DDoS attacks, need for special functions beyond those in the shared offering and certain VPN situations. There are other examples but overall you'll know when you get there. – rnxrx Aug 25 '12 at 00:55