Basic LAMP Server Part 2

Published on April 13, 2023 at 7:07 am by LEW
Print 🖨 PDF 📄 eBook 📱

Introduction

In the last post we set up a LAMP server. The next step, before jumping into some of the things you can do with it, is to think about server security. This is not going to be a complete how-to on securing a server against attack, as the assumption at this point is that usage is restricted to your personal LAN. The focus will be on limiting casual user access.

Obviously if you are the only one who uses your home network, security is not going to be a major concern. However if it is possible that anyone else, say a guest or family member, has access to your LAN without you constantly looking over your shoulder, then some hardening of your server is recommended.

Below are a few simple things that can be done to provide a somewhat better level of security to your install.

Firewall Requirements

In the last post we mentioned nftalbes. We will be using nftables for our firewall. At this point we want to setup some basic rules, before turning on the firewall. Otherwise we might find ourselves locked out of our own server.

I will attempt to make this as straight forward as possible. Unfortunately many nftalbes how-to sites seem to go out of their way to make things somewhat confusing for the new user. This is understandable as nftables has lots of options and capabilities. The majority of which are not going to be of much interest to the first time user. So we will keep it simple.

Our primary purpose at this point is to block all incoming network ports with the following exceptions; port 22 (SSH), port 80 (HTTP), and port 443 (HTTPS). All other incoming ports should be dropped.

You may decide to block port 80 at some point. Proceed with caution though as some applications will attempt to use that port for normal operations, and could require some configuration changes.

At the same time we also want to make sure that localhost loopback is available (a server will often loopback traffic to itself for various reasons). We will also want to allow all outgoing traffic from the server, as well as any incoming related traffic, regardless of the port used.

NFTables Configuration

On Debian systems the configuration file for nftables is located at /etc/nftables.conf. We will edit it directly before turning on the nftables service. As usual, when modifying a configuration file, first make a backup copy of the original.

Looking in the default configuration file on a Debian 11 system, with your favorite text editor, we see the following.

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
    chain input {
        type filter hook input priority 0;
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

The first line is the “shebang” meaning the file is executable, and the line points to the program that will execute it, along with any options.

The next line flushed any existing rules. There should be none on a new installation, but it is a good habit to get into, as pre-exsisting rules can create some interesting results.

The remaining lines define our rule set. A single filter table (inet) is created with three chains; input, forward, and output.

Please complete and verify all the following edits before starting nftables, as a mistake here could lock you out of your system.

First we want to drop any traffic that does not meet our input rules, so we add that to the end of the type line. Then we add three rules to the input chain to match our above requirements. The first rule allows loopback. The second rule opens ports 22, 80, and 443. The third rule allows all incoming traffic that is related to existing server outgoing connections.

chain input {
    type filter hook input priority 0; policy drop;
    iifname lo accept
    tcp dport { 22, 80, 443} accept
    ct state established, related accept
}

Since this is not a router, we want to drop all traffic on the forward chain, so set “policy drop” like we did for the incoming chain. We will leave the output chain alone.

Start Firewall

We are going to start nftables, but not set it to start at boot. That way if we have any problems, we can simply reboot and correct them.

systemctl start nftables

Make sure you can access your server over the network with your browser and your ssh client (I am using Putty). Once we are satisfied with our firewall rules, we can set it to start at boot.

systemctl enable nftables

Conclusion

In this post we setup a very basic firewall with nftables. In the next post of this series we will move on to some additional simple thing you can do to make your server more secure.

Basic LAMP Server Part 1

Basic LAMP Server Part 2

Basic LAMP Server Part 3

SharePin It!

Add New Comment

Your email address will not be published. Required fields are marked *