Close
Menu

RTCXpression

Digital Ocean now has Firewalls at the Network Layer – This is Important


June 6, 2017

I received a notice from Digital Ocean this morning about their new firewalls. You can read their blog post: Cloud Firewalls: Secure Droplets by Default

This is important. Before this, I had to install firewalls at the virtual server level. Firewalls can still be used at the virtual server level to augment the network layer, but they’re not required.

The key here is “secure by default”. Once I enable a firewall, only one incoming rule exists and it’s SSH. I have to enter the rest of the desired incoming ports one at a time.

Digital Ocean is Making Things Easier for me

Okay, so some other big name web hosting providers have firewalls at the network layer. I never used the one at Media Temple, when I used them to host my websites. Their control panel functions were confusing and I could never get the firewall rules entered correctly. To be fair, that was probably caused more by my flaky Internet connection at the time than anything else.

The settings for my droplet at Digital Ocean look nothing like a traditional control panel and that’s a good thing.

It took me less than five minutes to set up the firewall at Digital Ocean. I copied the port numbers from my firewall, entered them there and then clicked on the button to enable it.

Firewalls

Back in 2013, I wrote about installing Webmin and ConfigServer Security & Firewall. I may or may not remove CSF. Having a secondary firewall isn’t going to hurt anything. I can get by without Webmin as a control panel, but only if I remove CSF.

I hardened my droplet sometime before I wrote about it in 2016. Then I wrote about blocking port scans in January of this year and then about blocking fewer port scans in April.

Now, I don’t have to worry about port scans at all. The only ports that get past the network layer are the ones I entered into the Digital Ocean firewall. I only have six incoming TCP ports (not counting the FTP passive ports) and only one incoming UDP port. These are for SSH, FTP, the web server and Webmin. Nothing else on my droplet can be reached from the outside world.

Please go to this alternate page if you would like read or post comments.

Share:

Categories: Technology

Tags: , , , ,

Previous and Next Articles (if any):

« »

More

Please read some of my more important pages if you have the time:

Comments Policy           Privacy Policy

RTCXpression established Feb 28, 2011
Copyright © 2013-2017 RT Cunningham
Hosted at Digital Ocean