Network security

Network security

Ports⁠

Blocked ports⁠

To protect the Servercore infrastructure from malicious network activity, we restrict access to certain TCP/UDP ports.On the edge routers at the edge of the Servercore Internet network, both inbound and outbound traffic is blocked.An exception applies to TCP port 25 — only outbound traffic is blocked to limit potentially malicious email.A list of blocked ports can be found in the Blocked Ports instruction.

Ports that are most often opened⁠

22/TCP (SSH)	Often subject to password mining attacks to connect to the server
3389/TCP (RDP)	Often attacked due to weak passwords and system vulnerabilities
5900/TCP (VNC)	Often attacked due to weak passwords
80/TCP (HTTP)	Because of unencrypted data transmission, data is easily intercepted. Often subject to web application attacks, for example using XSS or SQL injections
443/TCP (HTTPS)	Despite data encryption, there may be vulnerabilities in SSL/TLS that could lead to data interception by attackers. Often exposed to web application attacks, such as XSS or SQL injection attacks
21/TCP (FTP)	Due to unencrypted data transmission, data is easily intercepted
23/TCP (Telnet)	Due to unencrypted data transmission, data is easily intercepted
445/TCP (SMB)	Used by attackers to spread malware
3306/TCP (MySQL)	Open access to MySQL can lead to data leaks
5432/TCP (PostgreSQL)	Open access to PostgreSQL can lead to data leaks

Firewalling⁠

To protect the system, restrict inbound and outbound traffic.Define a list of required network services and for each of your servers, allow connections only to network ports that are associated with those services.If necessary, restrict the source address of the connection.All connections that are not explicitly allowed should be blocked.

Network security for private subnets and public IP addresses can be provided by:

• cloud firewall — A stateful firewall for cloud servers. You can work with it in control panel with the help of OpenStack CLI;
• basic firewall — A stateless firewall for dedicated servers. You can work with it only in the control panel.

Security teams in the cloud platform⁠

With security groups, you can configure rules to filter all traffic that passes through the cloud server port.

Network Attack Detection and Prevention (IPS)⁠

To detect and prevent network attacks, we recommend using specialized solutions — Intrusion Prevention System (IPS).

Among the free tools that perform IPS functions, the most popular and functional are:

• Suricata;
• Snort;
• CrowdSec.

We recommend using Wazuh as the Host-based Intrusion Detection System (HIDS).

Server-level network protection⁠

You can also protect network connections at the server-specific level.On servers running OC Linux we recommend using:

• Uncomplicated Firewall (UFW) — is a tool for customizing a firewall. It was developed for the Ubuntu distribution, but is available for other distributions such as Debian. To configure the UFW tool, use the following instructions UFW Ubuntu documentation;
• firewalld — a firewall management system that is installed by default in distributions based on Red Hat Enterprise Linux, such as Fedora, CentOS, Alma Linux, Rocky Linux, and Oracle Linux. For more information on configuring it, see the firewalld documentation and configuration examples in the Fedora documentation.

When configuring a firewall, keep in mind that some ports originally intended for specific services can be used by attackers for hacking.For example, 21/TCP (FTP), 22/TCP (SSH), 23/TCP (Telnet), and 3389/TCP (RDP) are dangerous ports that are often subject to password mining attacks and vulnerability exploitation.To see a complete list of these ports, see the Ports Most Often Opened table.

Network access to a cloud database cluster⁠

In cloud databases, you can configure network access to the cluster.Users can only access the cluster itself — there is no access to the cluster nodes, as they are on the Servercore side.By default, in clusters with a public subnet, connection is allowed for all addresses with a login and password.In a cluster with a private subnet, connections are allowed from the cluster subnet and from those subnets that are connected to the cluster subnet by the cloud router.You can limit the list of addresses from which access to the database cluster will be allowed.For more information, see PostgreSQL, PostgreSQL for 1C, PostgreSQL TimescaleDB, MySQL semi-sync, MySQL sync, Redis and Kafka.

DDoS protection⁠

Servercore provides free infrastructure protection against DDoS attacks at the network and transport layers (L3-L4) — more information in the Servercore Protection manual .Information about blocked attacks, network blocking and blocked IP addresses can be viewed in the control panel under Products → Network Incidents.For more information about the information that can be tracked, see the Network Incidents section.

Web application security⁠

To protect web applications at the application layer (L7), we recommend using specialized solutions — Web Application Firewall (WAF).

Among the free tools that perform WAF functions, the most popular and functional are:

• CrowdSec;
• open-appsec.