Firewall really necessary?

Hello friends.

This isn’t strictly an nginx question but I thought it might be useful
to
others on this list as well so I’ll ask.

So I have a freebsd 7.0 server running. Inetd is disabled and I’m only
running 2 services. Nginx listening on port 80
and sshd listening on some random hight port. Ftp is enabled but that’s
listening for connections on the Local Network only.
A sockstat -4 confirms these are the only 3 services listening on any
ports
and a server reboot confirms that rc.d has been
set up correctly to only listen for these 3 services on a reboot.

My question is, for such a setup is a firewall really necessary? I don’t
think it is since this is such a simple server with only
these 2 services running. I don’t expect any complicated DDOS attacks
that
an intricate firewall would be able to thwart.

Thanks!

On Sat, 2008-04-12 at 22:29 -0400, Amer Shah wrote:

ports and a server reboot confirms that rc.d has been
set up correctly to only listen for these 3 services on a reboot.

My question is, for such a setup is a firewall really necessary? I
don’t think it is since this is such a simple server with only
these 2 services running. I don’t expect any complicated DDOS attacks
that an intricate firewall would be able to thwart.

Technically, no. However you have two potential issues:

  1. With all those open ports (whether or not anything is listening on
    them), your system is easily fingerprinted by scanning tools.

  2. If you ever make a mistake, or do an update, you might accidentally
    end up with a service you weren’t expecting listening on an external
    port.

  3. If ssh or Nginx (or an application that Nginx is exposing) got
    hacked, the hacker now has a plethora of ports to attach services to for
    his own use.

Incidentally, you can run the firewall on the same box. This isn’t as
secure as a separate firewall but is better than nothing.

Regards,
Cliff

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs