Firewall configuration
# Firewall Configuration
This article details the necessary firewall configuration for a secure MediaWiki 1.40 installation. Properly configuring your firewall is critical for protecting your wiki from unauthorized access and malicious attacks. This guide assumes a basic understanding of networking and firewall concepts. We will cover essential ports, recommended rules, and common firewall software options.
== Understanding the Need for a Firewall
A firewall acts as a barrier between your MediaWiki server and the outside world. It examines incoming and outgoing network traffic based on predefined rules. By blocking unwanted traffic, a firewall significantly reduces the risk of security breaches. Without a properly configured firewall, your wiki is vulnerable to attacks such as SQL injection, cross-site scripting (XSS), and denial-of-service (DoS) attacks. It’s also essential for compliance with many security standards. Consider using a Web Application Firewall (WAF) for more advanced protection.
== Essential Ports
MediaWiki relies on several network ports for proper operation. These ports must be open in your firewall to allow legitimate traffic. Here’s a breakdown of the essential ports:
| Port | Protocol | Description |
|---|---|---|
| 80 | TCP | HTTP - Standard web traffic. Required if not using HTTPS. |
| 443 | TCP | HTTPS - Secure web traffic. Highly recommended for all wikis. Requires a SSL certificate. |
| 22 | TCP | SSH - Secure Shell. Used for remote server administration. Restrict access to trusted IPs. |
| 3306 | TCP | MySQL/MariaDB - Database server port. Only accessible from the MediaWiki server itself. |
| 53 | UDP/TCP | DNS - Domain Name System. Required for name resolution. |
- *Important:** Limit SSH access (port 22) to specific IP addresses whenever possible. Exposing SSH to the public internet increases the risk of brute-force attacks.
- *Explanation:** These rules follow a "default deny" approach. This means that all traffic is blocked unless explicitly allowed. The `RELATED,ESTABLISHED` rule is crucial for allowing responses to outbound connections. Ensure your database server is only accessible from the MediaWiki server itself.
- **Regularly Update Your Firewall:** Keep your firewall software up to date to protect against the latest security vulnerabilities.
- **Monitor Firewall Logs:** Regularly review your firewall logs for suspicious activity. Tools like Logwatch can help automate log analysis.
- **Intrusion Detection System (IDS):** Consider implementing an IDS like Snort or Suricata to detect and alert you to potential attacks.
- **Rate Limiting:** Implement rate limiting to prevent denial-of-service attacks.
- **Secure Your Database:** Ensure your MySQL/MariaDB server is properly secured with strong passwords and limited access. See the Database configuration article.
- **Regular Backups:** Maintain regular backups of your wiki and database. See Backup and Restore for details.
- **Keep MediaWiki Updated:** Update MediaWiki to the latest version to benefit from security patches and bug fixes. Refer to the Upgrading MediaWiki article.
- Telegram: @powervps Servers at a discounted price
== Recommended Firewall Rules
These rules provide a baseline for securing your MediaWiki installation. Adjust them based on your specific network environment and security requirements. These examples are for `iptables`, a common Linux firewall. Adapt the syntax for other firewall software like `firewalld` or cloud provider firewalls (AWS Security Groups, Azure Network Security Groups, Google Cloud Firewall Rules).
| Rule | Description |
|---|---|
| `iptables -A INPUT -p tcp --dport 80 -j ACCEPT` | Allows incoming HTTP traffic (port 80). |
| `iptables -A INPUT -p tcp --dport 443 -j ACCEPT` | Allows incoming HTTPS traffic (port 443). |
| `iptables -A INPUT -p tcp --dport 22 -s |
Allows incoming SSH traffic (port 22) *only* from your specified IP address. Replace ` |
| `iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT` | Allows incoming MySQL/MariaDB traffic (port 3306) *only* from localhost. |
| `iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT` | Allows established and related connections. |
| `iptables -A INPUT -j DROP` | Drops all other incoming traffic. This is the default deny rule. |
== Common Firewall Software Options
Several firewall solutions are available, each with its own strengths and weaknesses. Here's a comparison of some popular options:
| Software | Operating System | Complexity | Features |
|---|---|---|---|
| iptables | Linux | High | Highly configurable, powerful, but requires significant knowledge. |
| firewalld | Linux | Medium | Easier to use than iptables, dynamic firewall management. |
| UFW (Uncomplicated Firewall) | Linux | Low | User-friendly interface for managing iptables. |
| Windows Firewall | Windows Server | Medium | Built-in firewall, adequate for basic protection. |
| Cloud Provider Firewalls (AWS Security Groups, Azure NSGs, GCP Firewall Rules) | Cloud Environments | Medium | Integrated with cloud infrastructure, scalable and flexible. |
Consider your operating system and technical expertise when choosing a firewall solution. For beginners, UFW or a cloud provider's firewall are good starting points. For more advanced users, iptables or firewalld offer greater control. Always consult the documentation for your chosen firewall software for detailed configuration instructions.
== Additional Security Considerations
Main Page Configuration Security Database configuration Upgrading MediaWiki SQL injection Cross-site scripting (XSS) Web Application Firewall (WAF) SSL certificate Logwatch Snort Suricata Denial-of-service attacks Backup and Restore Troubleshooting Help:Contents
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configurationNeed Assistance?
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️