Firewall
# Firewall Configuration for MediaWiki Servers
This article details firewall configuration best practices for servers hosting a MediaWiki 1.40 installation. A properly configured firewall is critical for protecting your wiki from unauthorized access and malicious attacks. This guide is intended for system administrators and those new to server security.
Understanding Firewalls
A firewall acts as a barrier between your server and the outside world. It examines incoming and outgoing network traffic and blocks anything that doesn't match your defined rules. For a MediaWiki server, the firewall needs to allow legitimate traffic (primarily web requests on ports 80 and 443) while blocking everything else. Different firewall solutions exist, including `iptables`, `firewalld`, and cloud provider firewalls (like AWS Security Groups or Azure Network Security Groups). This article will focus on general principles applicable to most firewalls, with some examples leaning towards `iptables` as it's common on Linux systems. See System Administration for general server management.
Essential Ports for MediaWiki
MediaWiki relies on several ports for its operation. Understanding these is crucial when configuring your firewall.
| Port | Protocol | Description | |
|---|---|---|---|
| 80 | TCP | Standard HTTP web traffic. Required for unencrypted access. | |
| 443 | TCP | Secure HTTPS web traffic. Highly recommended for security. See HTTPS Configuration | |
| 22 | TCP | SSH access for remote administration. Restrict access to trusted IPs only | See Secure Shell (SSH) |
| 3306 | TCP | MySQL/MariaDB database connection. Only allow access from the MediaWiki server itself. See Database Configuration | |
| 53 | UDP/TCP | DNS resolution. Usually handled by your system's DNS resolver. |
It's essential to *only* expose the ports necessary for external access. Leaving unnecessary ports open increases your attack surface. Consider Security Best Practices for a more comprehensive overview.
Basic Firewall Configuration (iptables Example)
The following examples demonstrate using `iptables` to configure a basic firewall. These are *examples* and should be adapted to your specific server setup and security requirements. **Always test firewall changes in a non-production environment first
First, it's good practice to set default policies to deny all incoming and forward traffic.
```bash iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT ```
Then, allow established and related connections:
```bash iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ```
Finally, allow SSH (from a specific IP address), HTTP, and HTTPS. Replace `your.ip.address` with your actual IP address.
```bash iptables -A INPUT -p tcp --dport 22 -s your.ip.address -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT ```
These rules will block all incoming traffic *except* that specifically allowed. Remember to save your `iptables` rules so they persist after a reboot. The method for saving rules varies depending on your Linux distribution (e.g., `iptables-save > /etc/iptables/rules.v4` on Debian/Ubuntu). Consult your distribution's documentation. See Linux System Administration for more details.
Advanced Firewall Considerations
Beyond the basics, consider these advanced features:
- Rate Limiting: Protect against denial-of-service (DoS) attacks by limiting the number of connections from a single IP address.
- GeoIP Blocking: Block traffic from countries where you don't expect legitimate users.
- Web Application Firewall (WAF): A WAF (like ModSecurity) provides more granular control over web traffic and can protect against common web attacks (SQL injection, cross-site scripting, etc.). See ModSecurity Integration.
- Intrusion Detection/Prevention Systems (IDS/IPS): These systems monitor network traffic for malicious activity and can automatically block or alert you to suspicious behavior.
- Logging: Enable detailed firewall logging to help identify and investigate security incidents. See Server Logs.
- Server Security
- Database Security
- Regular Security Audits
- Intrusion Detection Systems
- Firewall Documentation (iptables)
- Telegram: @powervps Servers at a discounted price
Cloud Provider Firewalls
If your MediaWiki server is hosted on a cloud platform (AWS, Azure, Google Cloud), you'll also need to configure their respective firewall services. These typically operate at a network level, providing an additional layer of security. Cloud provider firewalls are often configured via a web interface and involve defining security groups or network security rules. Ensure these rules are consistent with your server-level firewall configuration. See Cloud Hosting Considerations.
Monitoring and Maintenance
Firewall configuration isn't a one-time task. Regularly review your firewall rules to ensure they are still appropriate and effective. Monitor your firewall logs for suspicious activity. Keep your firewall software up to date to benefit from the latest security patches. See System Monitoring for details on setting up monitoring.
Example Rule Set (Expanded)
This table demonstrates a more comprehensive but still basic rule set.
| Chain | Rule | Description |
|---|---|---|
| INPUT | `-P DROP` | Default deny all incoming traffic. |
| INPUT | `-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT` | Allow established and related connections. |
| INPUT | `-A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT` | Allow SSH from trusted IP. |
| INPUT | `-A INPUT -p tcp --dport 80 -j ACCEPT` | Allow HTTP traffic. |
| INPUT | `-A INPUT -p tcp --dport 443 -j ACCEPT` | Allow HTTPS traffic. |
| INPUT | `-A INPUT -p icmp --icmp-type echo-request -j DROP` | Drop ICMP echo requests (ping). |
| FORWARD | `-P DROP` | Default deny all forwarded traffic. |
| OUTPUT | `-P ACCEPT` | Default allow all outgoing traffic. (Generally safe for most setups) |
Remember to replace `192.168.1.100` with your actual trusted IP address.
Further Resources
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configurationNeed Assistance?
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️