Hello friends.
This isn’t strictly an nginx question but I thought it might be useful
to
others on this list as well so I’ll ask.
So I have a freebsd 7.0 server running. Inetd is disabled and I’m only
running 2 services. Nginx listening on port 80
and sshd listening on some random hight port. Ftp is enabled but that’s
listening for connections on the Local Network only.
A sockstat -4 confirms these are the only 3 services listening on any
ports
and a server reboot confirms that rc.d has been
set up correctly to only listen for these 3 services on a reboot.
My question is, for such a setup is a firewall really necessary? I don’t
think it is since this is such a simple server with only
these 2 services running. I don’t expect any complicated DDOS attacks
that
an intricate firewall would be able to thwart.
Thanks!
On Sat, 2008-04-12 at 22:29 -0400, Amer Shah wrote:
ports and a server reboot confirms that rc.d has been
set up correctly to only listen for these 3 services on a reboot.
My question is, for such a setup is a firewall really necessary? I
don’t think it is since this is such a simple server with only
these 2 services running. I don’t expect any complicated DDOS attacks
that an intricate firewall would be able to thwart.
Technically, no. However you have two potential issues:
-
With all those open ports (whether or not anything is listening on
them), your system is easily fingerprinted by scanning tools.
-
If you ever make a mistake, or do an update, you might accidentally
end up with a service you weren’t expecting listening on an external
port.
-
If ssh or Nginx (or an application that Nginx is exposing) got
hacked, the hacker now has a plethora of ports to attach services to for
his own use.
Incidentally, you can run the firewall on the same box. This isn’t as
secure as a separate firewall but is better than nothing.
Regards,
Cliff