If someone exploits a service on the machine they can then connect outside that machine on any port. Ufw would prevent this. The router firewall would also likely prevent this unless they used an open port of the router or upnp was enabled.
Comment on Do I really need a firewall for my server?
agile_squirrel@lemmy.ml 4 weeks agoI have about 20 services on my machine so I’m going to need to open a ton of ports (ssh, SSL, multiple higher number ports since some services require several ports). At that point, what is the point of a firewall if so many ports are open? With so many ports open, it seems like a firewall doesn’t add much security vs the complexity it adds.
Fizz@lemmy.nz 4 weeks ago
eldain@feddit.nl 4 weeks ago
I recommend fail2ban to stop the automated attacks that are the background noise of the internet. It will set your firewall to block certain ip’s for a while, especially ports 21/22 are getting hammered with dictionary login attempts. And port 80 and 8080 for example get constantly version checked to see if you are vulnerable with an old apache, old dokuwiki etc, so don’t expose more than you need to and maybe learn about ssh tunnels and close a few.
I once installed ossim in a small network with a server and it showed me it is war out there, scripts flying everywhere.
lud@lemm.ee 4 weeks ago
Also get rid of password authentication if you can.
agile_squirrel@lemmy.ml 4 weeks ago
My server is only available on my LAN and via a VPN. Is fail2ban applicable? Or is it mainly for public facing servers?
eldain@feddit.nl 4 weeks ago
Only public facing ports, maybe your openvpn login. But that means you are already firewalled up and your attack surface is tiny, good 👍
swab148@lemm.ee 4 weeks ago
Sounds like you could use a reverse proxy.
Jakeroxs@sh.itjust.works 4 weeks ago
That doesn’t count as a firewall though no? I use traefik as my reverse proxy (and like one thing on nginx that also goes through traefik ultimately) but I still put crowdsec on top
swab148@lemm.ee 4 weeks ago
No, but putting a bunch of those services behind a reverse proxy would lower the amount of open ports. It would also have the side effect of making firewall configuration easier, since you don’t need rules for all those ports anymore.
Jakeroxs@sh.itjust.works 4 weeks ago
True, I love not having to open ports anymore, game changing.