This is important. Before this, I had to install firewalls at the virtual server level. Firewalls can still be used at the virtual server level to augment the network layer, but they’re not required.
The key here is “secure by default”. Once I enable a firewall, only one incoming rule exists and it’s SSH. I have to enter the rest of the desired incoming ports one at a time.
Okay, so some other big name web hosting providers have firewalls at the network layer. I never used the one at Media Temple, when I used them to host my websites. Their control panel functions were confusing and I could never get the firewall rules entered correctly. To be fair, that was probably caused more by my flaky Internet connection at the time than anything else.
The settings for my droplet at Digital Ocean look nothing like a traditional control panel and that’s a good thing.
It took me less than five minutes to set up the firewall at Digital Ocean. I copied the port numbers from my firewall, entered them there and then clicked on the button to enable it.
Back in 2013, I wrote about installing Webmin and ConfigServer Security & Firewall. I may or may not remove CSF. Having a secondary firewall isn’t going to hurt anything. I can get by without Webmin as a control panel, but only if I remove CSF.
Now, I don’t have to worry about port scans at all. The only ports that get past the network layer are the ones I entered into the Digital Ocean firewall. I only have six incoming TCP ports (not counting the FTP passive ports) and only one incoming UDP port. These are for SSH, FTP, the web server and Webmin. Nothing else on my droplet can be reached from the outside world.
Previous and Next Articles:
Your comment will appear below the form when it's approved. When the page redisplays after hitting the send button (it can take a few seconds), your comment has been sent.
When replying to someone else's comment, please start the comment with "@" and the name so I can put it in the right place.
Please read some of my more important pages if you have the time: