Firewall Gateway in front of servers

valvps

Active member
Joined
Feb 17, 2017
Messages
74
Best answers
0
Ratings
3
Points
8
#1
Hello:

Some recommendations to use a firewall in front of servers such as zimbra, cpanel, or any other server is linux or windows.


The idea is to have a web platform firewall and this control all the income before reaching the servers...
 

mobin

Well-known member
Joined
Jun 22, 2017
Messages
185
Best answers
1
Ratings
63 1
Points
28
#2
If you are looking for Web Firewall, Barracuda may be a good choice.
 

KnownHost-DanielP

Well-known member
Joined
Mar 1, 2018
Messages
121
Best answers
2
Ratings
27 3
Points
28
#3
I think this honestly depends on the scale of your infrastructure.

A hardware based firewall can have its advantages, but at the end of the day, is still limited to your primary uplink capacity. So you need to look at it based on a risk / reward type scenario.

Determine what you want to block with the firewall. If it's just simply port blocking, use a software firewall on each server or IPTables. If you want to do active traffic filtering then you need to determine what you actually want to filter and the benefits of it. You won't stop a DDOS with a HW firewall, as most of those simply overload your bandwidth capacity anyways.

Most firewalls aren't really that intelligent so make sure also that you want a firewall and not something more like packet inspection and filtering based on that.
 

valvps

Active member
Joined
Feb 17, 2017
Messages
74
Best answers
0
Ratings
3
Points
8
#4
Hello:

I need to protect different servers that provide different services.

I really liked https://sucuri.net/website-security-platform/

and I would like to know if it is possible to implement it, using tools such as clearos
or pfense.

This features:

XSS (Cross Site Scripting)
RCE (Remote Code Execution)
SQLi (SQL injection)
Layer 7 DDoS protection
Brute Force protection
Intrusion Detection System
Intrusion Prevention System
HTTP Flood protection
2FA, Captcha and Password protection
 

KnownHost-DanielP

Well-known member
Joined
Mar 1, 2018
Messages
121
Best answers
2
Ratings
27 3
Points
28
#5
Hmmm, you're going to pay a LOT of money to get all of that in one box..

The reason that sucuri can offer that is they do it the same way cloudflare does with a mix of various applications.

You can forget about having much DDoS protection local, unless it's a small attack you really need a large scrubbing service.

XSS (Cross Site Scripting)
RCE (Remote Code Execution)
SQLi (SQL injection)

Those three can be done with mod_security rules but vary greatly depending on the type of applications hosted.

Intrusion Detection System
Intrusion Prevention System

That's kinda broad, CSF can do a lot of this but it's all about your configuration. IDS also means monitoring the hell out of files for changes, getting alerted to them and taking action.

2FA, Captcha and Password protection

That's going to be either using cloudflare or some type of 3rd party service that proxies your websites.

You can probably roll your own for a lot of this, but you won't find this combination in any on-site hardware firewall that won't give you a heart attack for the price they want.
 

KnownHost-DanielP

Well-known member
Joined
Mar 1, 2018
Messages
121
Best answers
2
Ratings
27 3
Points
28
#7
We use them on a few of our shared servers. It functions decently well. It won't stop a volumetric ddos attack but it does well to identify localized hacking attempts against customer websites.
 

mobin

Well-known member
Joined
Jun 22, 2017
Messages
185
Best answers
1
Ratings
63 1
Points
28
#8
Ok your requirement is changed from actual query. The front-end web firewalls like Sucuri, Barracuda, Incapsula, etc can wok very well and protect your websites good. But these solutions are more suitable for websites which you can control directly; something like you are website owner, developer who is managing websites, etc. But for shared hosting, these solutions will be ither expensive or difficult to manage as the way they are working. So in such case as Daniel suggested, you can relay in ModSecurity based WAF or any other simialr solution that you can afforfd [ its not just money but the effort to maintain it ]. Before implementing the solution, its better to try it and expeience how it can protect your websites/servers without interrupting the current functioning.
 

mobin

Well-known member
Joined
Jun 22, 2017
Messages
185
Best answers
1
Ratings
63 1
Points
28
#10
Self-promotion is not allowed in this forum and here I am just answering your questions :) .


Is there any proof to check it? :- You can try our software for 15 days using the trial license and its totally free. A few reviews you can find in web too.

and this affects csf? :- We do not change any of your exisiting configurations. Our software provides CSF integration options and you can use it to manage some CSF configurations and use it to block web attacks. You can run with your own CSF configuration with no issues.

But we do not provide any kind of DDoS protection if that is one of your requirements....we dropped that feature because we really know any such attacks even at medium rate is not really able to mitigate at server level...so we cannot really guarantee the full protection if we add it as one of the features..instead we would like to work on some rate limiting in future.
 
Latest Threads

Latest Hosting OffersNew Reviews

Sponsors

Latest Blog ArticlesMost Viewed Threads

Top