Hello, 1) If on a Linux server is running only two publicly available services, lets say an Apache web server and a SSH server, is it still important for denial of service attacks mitigation to still disallow all traffic that does not match these two services even there are no other public facing services? Or it does not matter? Can you shortly explain why it matter or why not? 2) Maybe in my layman point of view I am forgetting that Linux has more services/apps which can be affected by the incoming attack. For example I have found “chronyd is a daemon for synchronisation of the system clock.” listening on Debian (netstat -tulnp). Btw. is this netstat -tulnp command that shows me apps that potentially needs to be allowed in a firewall? I would prefer to keep on default iptables policy ACCEPT while possibly just disallowing that chronyd incoming connections. I am using ACCEPT policy for years on more than one server. Thank You
1) It is still important to disallow all traffic that does not match the two services to prevent potential attacks on other vulnerable services that may be running on the server. This can help mitigate risk and protect the server from unauthorized access or exploitation. 2) Yes, the netstat -tulnp command can show you all the network services that are listening on the server, including potential services that may need to be allowed in a firewall. It is wise to review and secure all services running on the server, even if they are not publicly accessible, to prevent any potential security vulnerabilities. 3) While using the default iptables policy of ACCEPT may be convenient, it is still recommended to deny incoming connections to unnecessary services like chronyd to further enhance the security of the server. This additional layer of protection can help reduce the risk of potential security breaches or unauthorized access.
Disallowing every port except 22,80,443 does not really matter if you have not running other services. Though, it is best practice. What if you add some random service in the future e.g. for testing and then forget about it, things like that are among the most common security flaws. Regarding denial-of-service attacks, it won't matter, they still can/will be performed on the web server - the thing that helps in this regard is a DDoS protection service like Cloudflare.