Dedicated Hosting Firewall Information
From A2Wiki
As a Dedicated Server user, you have control over your own firewall settings. If you are not comfortable making changes yourself, you can open a Support ticket with A2Hosting, and they can make the changes for you as part of your monthly allotment of engineering time.
Contents |
A2Hosting Default Open Ports
On a server with a cPanel license, the ports for standard cPanel services (web, mail, FTP, etc.) are open by default.
If you are on a server without cPanel, the only port open by default is for SSH.
NOTE: On A2Hosting's network, SSH runs on port 7822, not the standard port 22
Standard TCP Port Numbers
Please see this article for a list of standard port numbers.
Configuration Files
The firewall used is the Advanced Policy Firewall, or apf. Official documentation and the project homepage are at: http://www.rfxnetworks.com/apf.php
Traffic flow into and out of the server are regulared by a "whitelist" of specifically allowed IP addresses/networks and a "blacklist" of specifically denied IP addresses/networks. The allow/deny lists are stored in /etc/apf/allow_hosts.rules and /etc/apf/deny_hosts.rules respectively.
Comment sections at the top of each file show the rule syntax, but to recap an entry can look like:
ip.ad.re.ss
to allow/deny the IP address to all services, or
in:d=pppp:s=aa.bb.cc.dd
which would allow incoming connections on port pppp from IP address aa.bb.cc.dd
Automatic IP Address Blocking
The firewall automatically bans any IP address which records too many failed login attempts within a certain time period (specifics omitted for security purposes). Your first action should be to add yourself to the whitelist, to ensure that you cannot be locked out! (This is only relevant for fixed IP addresses of course; a larger network could be specified, but that would not be a good security practice).
Edit /etc/apf/allow_hosts.rules and make an entry like this:
# comment describing why this rule is being added, date/time, etc. tcp:in:d=7822:s=aa.bb.cc.dd
where aa.bb.cc.dd is the public IP address you will be SSH'ing from (if you don't know this, you can find it by going to http://ipfinder.us in your web browser). The leading comment line is a good standard practice so that you can keep track of when a rule was added, who added it, and why.
If you will be connecting via SSH from multiple locations, make a separate rule entry for each IP.
When you are done adding rules, exit the file (saving changes), and then restart the firewall to load the new file(s):
/etc/apf/apf --restart
Quickly block an attacker
If you notice via logs, etc. that a particular IP address or network is hammering your server, you can drop all their traffic at the command line by doing:
/etc/apf/apf -d ip.ad.re.ss comment_with_no_spaces
That will automatically add a drop rule for all ports from that IP address, and adds the comment "comment_with_no_spaces" (the comment field is optional, but highly recommended so that when you review your deny_hosts.rules file -- and you are periodically reviewing that, right? -- you will have a memory jog as to why that entry is in the file.
If you need to block an entire network, you can do:
/etc/apf/apf -d aa.bb.cc.0/24 - Class C /etc/apf/apf -d aa.bb.0.0/16 - Class B /etc/apf/apf -d aa.0.0.0/8 - Class A
Unblock an IP Address
To easily remove a blocking rule for a specific IP address, we provide a script in the /app/bin directory called unbanip.sh that will remove the relevant line from deny_hosts.rules and restart the firewall automatically. This can be a bit faster sometimes than editing deny_hosts.rules manually and hunting for the IP address, then remembering to restart the firewall.
