This is important. Before this, I had to install firewalls at the virtual server level. Firewalls can still be used at the virtual server level to augment the network layer, but they’re not required.
The key here is “secure by default”. Once I enable a firewall, only one incoming rule exists and it’s SSH. I have to enter the rest of the desired incoming ports one at a time.
Okay, so some other big name web hosting providers have firewalls at the network layer. I never used the one at Media Temple, when I used them to host my websites. Their control panel functions were confusing and I could never get the firewall rules entered correctly. To be fair, that was probably caused more by my flaky Internet connection at the time than anything else.
The settings for my droplet at DigitalOcean look nothing like a traditional control panel and that’s a good thing.
It took me less than five minutes to set up the firewall at DigitalOcean. I copied the port numbers from my firewall, entered them there and then clicked on the button to enable it.
Back in 2013, I wrote about installing Webmin and ConfigServer Security & Firewall. I may or may not remove CSF. Having a secondary firewall isn’t going to hurt anything. I can get by without Webmin as a control panel, but only if I remove CSF.
Now, I don’t have to worry about port scans at all. The only ports that get past the network layer are the ones I entered into the DigitalOcean firewall. I only have six incoming TCP ports (not counting the FTP passive ports) and only one incoming UDP port. These are for SSH, FTP, the web server and Webmin. Nothing else on my droplet can be reached from the outside world.