How To Set Up a VPS Firewall?
The global pandemic forced many people to stay at home and gave them enough free time to launch the projects they’ve been thinking about for so long.
Because Virtual Private Servers (VPS) offer the best environment between an affordable shared plan and a powerful dedicated server, many new website owners logically consider them as an excellent option to start.
Managing a virtual server includes a more hands-on approach from the user, and one essential task is setting up a VPS firewall. Let’s clear some of the confusion that surrounds the matter.
Table of Contents:
The Importance of VPS Security
The wave of novice website administrators is good news for hackers. There is a wide selection of new targets available, and many of them are not prepared for whatever the modern threat landscape has to throw at them.
The incentive for attacking these new websites is pretty good, as well. Many up-and-coming projects revolve around an ecommerce business model, so a successful attack might give hackers unauthorized access to sensitive (and valuable) data.
Even if that’s not the case, a compromised virtual server presents a launchpad for further attacks. Many VPS users know that a firewall is one of their most basic and essential defense mechanisms.
But do they know how it works? And can they set it up without professional help?
What is a VPS Firewall?
A firewall is a network security system that uses predetermined rules to filter incoming and outgoing traffic. It checks the requests exchanged between your VPS and the outside world and blocks the ones that look suspicious.
In the context of web hosting servers, a firewall is the easiest way of stopping attacks like brute-force, DDoS, port scanning, and various other threats that can lead to service outages or server takeover.
But a firewall is only useful if you configure it properly.
For example, there are a total of 65,535 TCP and UDP networking ports. Your server utilizes only a handful of them. A properly configured firewall will block all connections to ports that are not used by any legitimate services.
A VPS firewall will also have strict rules on how the services are used.
For example, suppose it sees that a single IP address is generating an unusual amount of traffic. A properly configured firewall will block the IP before it starts hogging the server resources and compromise its performance.
The technology has been around since the 1980s, and today, most computers and servers are protected by a firewall. There are free and premium solutions available for every setup imaginable. Some of them are integrated with the operating system itself, while others come as third-party products.
The majority of VPS solutions for web hosting run on Linux, so today’s guide will focus on the essentials for the open-source operating system.
Here are some of the most popular Linux firewalls:
Iptables is integrated into most Linux distributions. It’s been around for a while and has proven itself a lightweight but powerful solution for filtering traffic on Linux systems.
Iptables has evolved quite a bit over the years. At first, it could only apply policies to incoming packets, but its modular architecture allowed developers to expand its functionality immensely over the years.
Right now, iptables is considered to be one of the most flexible firewalls around.
This is in no small part due to features like the ability to work on many different levels and its backup and restore support. The only downside is, iptables is configurable only through the command-line interface, which many users find tricky to understand.
Nftables is billed as iptables’s successor. It’s built by the same team and comes with out-of-the-box support for IPv4 and IPv6. Like iptables, it’s configured only via the terminal. Luckily, it presents users with a more readable syntax.
This means that server owners who want to use the operating system’s built-in firewall should have an easier time setting everything up.
Although distributions like CentOS 8 have already implemented nftables, it’s still nowhere near as common as iptables. Nevertheless, it is expected to eventually become the default Linux firewall, so you may want to start getting familiar with it sooner rather than later.
Another firewall solution that tries to make users’ lives easier is the Uncomplicated Firewall (or UFW). This solution is integrated into modern Ubuntu versions, and although it’s not available in all software repositories – installing it on other Linux distros is also possible.
You can find services that allow you to configure UFW via a Graphical User Interface (GUI). More straightforward management isn’t UFW’s only advantage. It also packs users with features like IPv6 support, the ability to block a range of IPs, and the option to limit access to certain ports.
ConfigServer Firewall or CSF is one of the most popular firewall solutions for Linux servers. It’s free and uses iptables as a framework, meaning its configuration on most Linux distributions is pretty straightforward.
This firewall is also quite feature-rich.
CSF has mechanisms specifically designed to offer efficient protection against SYN floods and port scanning. Of particular note is the Login Failure Daemon – a function that periodically checks for brute-force attempts and blocks the perpetrator’s IP if it finds evidence of a potential attack.
While the impressive set of features sets it apart from many other firewall solutions, for most, CSF’s primary selling point is its seamless integration with popular web hosting control panels. Users of cPanel/WHM, Webmin, and DirectAdmin don’t need to use the command-line interface to configure CSF.
Instead, they can manage the firewall rules from inside their control panels. In addition to all of this, CSF’s GUI plugins also allow them to view detailed statistics and draw conclusions about potential attack patterns.
PfSense is a powerful routing platform that works as a firewall, a router, a DHCP, and a DNS server.
As a firewall, its pfSense’s features include :
- a filtering system based on source and destination IPs
- protocols and ports
- WAP and VPN endpoint functionality
- real-time information feed about the server
- the ability to balance output and input load
A stateful packet inspector takes a deeper look at each packet before letting it through. Plus, the preset rule profiles and per-interface configuration give pfSense greater flexibility.
Shorewall is yet another open-source firewall solution for Linux. It uses Netfilter, a framework built into the Linux kernel to track connections and filter packets. The solution supports a range of router, firewall, and gateway applications.
Among the Shorewall features, you’ll find :
- flexible address management support
- the ability to blacklist individual IPs and subnetworks
- VPN support
- traffic shaping and accounting
- IPv6 support and easy integration with a range of virtualization technologies
Users looking for a firewall with a GUI should know that Shorewall integrates well into the Webmin control panel.
How to Set Up a VPS Firewall
Installing and configuring a firewall often requires root access to the server and inevitably involves some command-line work, which many people aren’t used to.
Nevertheless, as the steps for installing CSF on a Linux VPS will show you, there’s nothing too difficult or complicated.
Here’s what you need to do:
1. Navigate to usr/src and download CSF
The commands you need to use are:
Your VPS will automatically download CSF’s latest version from the official site and place it in the /usr/src/ directory.
2. Extract the CSF archive
The following command will extract all the files in the csf.tgz archive:
tar xzf csf.tgz
3. Go to CSF’s directory and run the installer
The commands you need to use are:
Running this, you’ll launch CSF’s installer. Before it installs the application, it will first check whether all the prerequisites are there. If it runs into a critical error – you may need to install Perl and libwww before proceeding.
By default, they should be available on all supported Linux distributions, but in case they aren’t – the commands you’ll need to use are:
yum install perl-libwww-perl – for RHEL-based distributions
apt install libwww-perl – for distros based on Debian.
4. Disable any existing firewalls and configure CSF
If any other firewall utilities are running on your computer, you may need to disable them with a systemctl command. CSF’s configuration is located in /etc/csf/csf.conf, and if you use one of the supported web hosting control panels – you can enable and manage the firewall from there.
Fortunately, CSF, like many other popular Linux firewalls, comes with extensive documentation. Figuring out what sort of settings you need to apply to set up the firewall to your exact specifications shouldn’t be difficult at all.
You will need slightly different commands if you choose a firewall solution other than CSF. Still, the process is relatively straightforward if you have a self-managed VPS with root access.
The Role of Your Hosting Provider
Still, many site owners may not be willing to do all the work themselves, which is understandable, especially if they’re not used to working with a terminal.
For them, a managed plan is the perfect solution.
With a managed VPS, you still have your own virtual server. You’re free to utilize all its hardware resources and install the applications you see fit.
The difference is, you don’t need to do any of the sysadmin work. Instead, your hosting provider uses its expertise to make sure your VPS is correctly set up and working all the time.
This includes installing and configuring the VPS firewall.
It’s the preferred setup if your experience is limited and you don’t feel comfortable setting up everything on your own. However, avoid putting yourself in a rigid default setup that may or may not fit your project’s requirements.
If you need to use an application that requires a specific set of firewall rules, your host’s support team must be able to quickly check whether changing the settings is possible. If it is – they’ll apply the new configuration for you. If not – they should be able to point you to the correct self-managed plan and, ideally, give you information on suitable firewall solutions.
ScalaHosting Security Solutions
At ScalaHosting, we believe ConfigServer Firewall is the best Linux firewall solution for most use cases, which is why we use it on our managed cPanel and SPanel VPS plans. It’s a tried and tested solution based on iptables – a proven framework that has kept Linux systems safe for years.
At the same time, CSF’s flexibility allows us to create a setup that fits the needs of an inexhaustible range of projects and users. If you think it doesn’t completely suit your requirements – you can always get in touch with our technical support experts who are available 24/7.
A properly configured CSF firewall protects our customers from many attacks, but it’s not a complete solution to the security problem.
We’ve been in the business for well over a decade, and we’ve seen numerous security systems that promise to keep users safe. However, a while ago, we realized that a custom-built solution has no alternative when it comes to protecting websites and their visitors.
This is where SShield comes in.
It’s a state-of-the-art, in-house-built monitoring system that uses artificial intelligence to block almost all known web attacks. Available on all our shared and managed VPS plans, SShield keeps a close eye on your account at all times. If it senses suspicious behavior – it alerts you immediately.
SShield was custom built for ScalaHosting customers, and we continue to invest time and effort into it to ensure it’s prepared to defend against the latest threats.
The task of setting up a firewall may seem daunting for some people, especially if their server admin experience is limited. The truth is, there are so many helpful guides and resources that if you’re willing to put in the time and effort, you’re unlikely to get it wrong.
Nevertheless, if you still don’t feel comfortable tackling the task yourself, you can choose a managed VPS plan and leave the hard work to the experts.
Does my Linux VPS need a firewall?
Yes, it most certainly does. Linux may not be as vulnerable as Windows when it comes to malware attacks, but a web hosting server needs to defend against a much wider variety of threats, including DDoS, brute force attacks, and port scanning. Often, a firewall is the only way to fend them off.
Why do hackers attack VPSs?
Virtual private servers usually host websites. By attacking the server, hackers can gain unauthorized access to user data. A successful compromise also puts them in a position to use the VPS as a platform for future attacks.
How do I configure my VPS firewall?
Different firewall solutions offer different interfaces. Most of them are controlled via the command-line interface, but the syntax is rarely the same. Thankfully, helpful guides and tutorials are widely available for the most popular Linux firewalls.