Firewall Setup
- Firewall Setup
This article details the configuration of a firewall for a MediaWiki 1.40 installation. A properly configured firewall is crucial for the security of your wiki, protecting it from unauthorized access and potential attacks. This guide assumes a basic understanding of networking concepts. We will cover common firewall approaches and essential rules. It's vital to understand your hosting environment (shared hosting, VPS, dedicated server) as this impacts your control over firewall configuration. For shared hosting, you generally rely on the provider's firewall. For VPS/dedicated servers, you have more control, often using `iptables`, `firewalld`, or a cloud provider's security groups. See Server Security for a broader overview.
== Understanding Firewalls
A firewall acts as a barrier between your server and the internet. It examines incoming and outgoing network traffic and blocks anything that doesn't match pre-defined rules. This is a core component of Network Security. There are two main types of firewalls:
- **Stateful Firewalls:** These track the state of network connections. They understand if a packet is part of an established connection and are more secure. `iptables` and `firewalld` are stateful.
- **Stateless Firewalls:** These examine each packet in isolation, without considering the connection's history.
== Common Firewall Tools
Several tools are commonly used for firewall configuration.
- **iptables:** A powerful, low-level firewall utility common on Linux systems. It can be complex to configure directly. See Linux System Administration.
- **firewalld:** A dynamic firewall manager with a more user-friendly interface than `iptables`. It's often the default on newer Linux distributions. Refer to Firewalld Configuration.
- **ufw (Uncomplicated Firewall):** A front-end for `iptables` designed to simplify common firewall tasks. It's user-friendly but less flexible than `iptables` directly. See UFW Tutorial.
- **Cloud Provider Firewalls:** AWS Security Groups, Azure Network Security Groups, and Google Cloud Firewall Rules provide firewall functionality within the cloud platform. See Cloud Hosting Considerations.
== Essential Firewall Rules for MediaWiki
The following rules are essential for securing a MediaWiki installation. These examples are generalized and may need adjustments based on your specific setup. These rules assume your web server (e.g., Apache or Nginx) is listening on port 80 (HTTP) and 443 (HTTPS). See Web Server Configuration.
Required Incoming Connections
| Port | Protocol | Description |
|---|---|---|
| 80 | TCP | HTTP Web Access (if not redirecting to HTTPS) |
| 443 | TCP | HTTPS Web Access (recommended) |
| 22 | TCP | SSH Access (restrict to specific IP addresses if possible) - See SSH Security |
| 3306 | TCP | MySQL/MariaDB Access (only allow from localhost or trusted servers) - See Database Security |
Recommended Incoming Connections (Conditional)
| Port | Protocol | Description |
|---|---|---|
| 53 | UDP | DNS (if running a DNS server on the same machine) |
| 25 | TCP | SMTP (if running an email server on the same machine) – See Email Server Configuration |
| 110 | TCP | POP3 (if running an email server on the same machine) |
| 143 | TCP | IMAP (if running an email server on the same machine) |
Outgoing Connections
Generally, outgoing connections should be allowed unless there's a specific reason to block them. However, consider restricting outgoing connections to essential services like DNS (port 53) and NTP (port 123) for increased security. See Time Synchronization.
Example iptables Rules
(These are examples only; adapt to your specific needs and distribution)
| Rule | Description |
|---|---|
| `iptables -A INPUT -p tcp --dport 80 -j ACCEPT` | Allow incoming HTTP traffic |
| `iptables -A INPUT -p tcp --dport 443 -j ACCEPT` | Allow incoming HTTPS traffic |
| `iptables -A INPUT -p tcp --dport 22 -s <Your IP Address> -j ACCEPT` | Allow SSH access from your IP address ONLY. Replace `<Your IP Address>` with your actual IP. |
| `iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT` | Allow MySQL/MariaDB access from localhost |
| `iptables -A INPUT -j DROP` | Drop all other incoming traffic |
- Important:** After making changes to `iptables`, save the rules to ensure they persist after a reboot. The method for saving rules varies depending on your distribution. See iptables Persistence.
== Testing Your Firewall Configuration
After configuring your firewall, it's essential to test it to ensure it's working correctly. You can use tools like `nmap` to scan your server and verify that only the allowed ports are open. See Network Scanning.
- **`nmap <your_server_ip>`**: This will scan the most common ports.
- **`nmap -p 80,443,22 <your_server_ip>`**: This will scan only ports 80, 443, and 22.
== Further Considerations
- **Rate Limiting:** Implement rate limiting to protect against denial-of-service (DoS) attacks. This can be done with `iptables` or using a dedicated DoS protection service. See DoS Protection.
- **Intrusion Detection/Prevention Systems (IDS/IPS):** Consider using an IDS/IPS to detect and prevent malicious activity. Snort and Suricata are popular options.
- **Regular Updates:** Keep your firewall software and rules up to date to protect against the latest threats.
- **Logging:** Enable firewall logging to monitor traffic and identify potential security issues. See Server Logging.
- **Least Privilege:** Only allow the minimum necessary access. Avoid overly permissive rules.
Server Security
Linux System Administration
Firewalld Configuration
UFW Tutorial
Cloud Hosting Considerations
SSH Security
Database Security
Email Server Configuration
Time Synchronization
iptables Persistence
Network Scanning
DoS Protection
Web Server Configuration
Network Security
Server Logging
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️