is this consider secure? my iptables


Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
OUTPUT_direct all -- anywhere anywhere

Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]

Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]

Chain FORWARD_direct (1 references)
target prot opt source destination

Chain FWDI_public (1 references)
target prot opt source destination
FWDI_public_pre all -- anywhere anywhere
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
FWDI_public_post all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere

Chain FWDI_public_allow (1 references)
target prot opt source destination

Chain FWDI_public_deny (1 references)
target prot opt source destination

Chain FWDI_public_log (1 references)
target prot opt source destination

Chain FWDI_public_post (1 references)
target prot opt source destination

Chain FWDI_public_pre (1 references)
target prot opt source destination

Chain FWDO_public (1 references)
target prot opt source destination
FWDO_public_pre all -- anywhere anywhere
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
FWDO_public_post all -- anywhere anywhere

Chain FWDO_public_allow (1 references)
target prot opt source destination

Chain FWDO_public_deny (1 references)
target prot opt source destination

Chain FWDO_public_log (1 references)
target prot opt source destination

Chain FWDO_public_post (1 references)
target prot opt source destination

Chain FWDO_public_pre (1 references)
target prot opt source destination

Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]

Chain INPUT_direct (1 references)
target prot opt source destination

Chain IN_public (1 references)
target prot opt source destination
IN_public_pre all -- anywhere anywhere
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
IN_public_post all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere

Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:8090 ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:7080 ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:submission ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:submissions ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ctstate NEW,UNTRACKED
ACCEPT udp -- anywhere anywhere udp dpt:domain ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpt:domain ctstate NEW,UNTRACKED
ACCEPT udp -- anywhere anywhere udp dpt:443 ctstate NEW,UNTRACKED
ACCEPT tcp -- anywhere anywhere tcp dpts:40110:40210 ctstate NEW,UNTRACKED

Chain IN_public_deny (1 references)
target prot opt source destination

Chain IN_public_log (1 references)
target prot opt source destination

Chain IN_public_post (1 references)
target prot opt source destination

Chain IN_public_pre (1 references)
target prot opt source destination

Chain OUTPUT_direct (1 references)
target prot opt source destination

2 Replies

<snark>

Do you feel more secure? If so, then 's all good man…

</snark>

From a previous post:

this is my ufw status

[email protected]:~# ufw status
Status: active

To Action From
-- ------ ----
2021 ALLOW Anywhere 
2021 (v6) ALLOW Anywhere (v6)

Debugging ufw is not part of my job description…or that of anyone else here…including Linode's… You should contact Canonical for a definitive answer to your question. Some advice I can give is:

  • DON'T, under ANY circumstances, use ftp. It's inherently insecure and will never be fixed. If you need file transfer, use sftp(1)…which uses ssh(1)s port.
  • Ditto for pop3, submission & imap/imap2… If you have customers, tell them to use pop3s, submissions & imaps…do an "it's company policy…" if you have to.
  • You don't need udp on port 443 for anything. This rule just takes up space.
  • If you don't need for systems that are remote to your Linode to access ports 8090, 7080, 40110 & 40210, you should restrict the source/destination on those ports to localhost.

Generally speaking, you should be as restrictive as you can with open ports while still being able to accomplish your purpose. Except in very few cases, no ports need to be open for src=anywhere, dst=anywhere. With even rarer exception, you shouldn't allow ports to be open where the traffic is not encrypted using TLS (hint to LinodeDNScrypt please!).

Consider setting up fail2ban(1). You can Google it..and there are lots of posts in this forum about it.

If you have some app that requires this stuff (e.g. some ancient/unsupported Wordpress plugins from 1995), you should find another solution. Dumping Wordpress should be part of that conversation as well…

-- sw

What @stevewi said.

and also consider security something that is a layered process; meaning there's multiple things to consider for security.

For example you could have the most secure firewall settings in the world, but if you're SSHing as root with 12345678 as your password… You're server isn't very secure and will quickly be compromised.

Take a look through https://www.linode.com/docs/guides/securing-your-server/

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct