Network security
Blocked ports
To secure Servercore infrastructure from malicious network activity, we restrict access to certain TCP/UDP ports. On edge routers at the edge of the Servercore Internet network, both incoming and outgoing traffic is blocked. There is an exception for TCP port 25 — only outgoing traffic is blocked to limit the sending of potentially malicious email. The list of blocked ports can be found in the instructions Blocked ports.
Firewalling
To protect your system, limit incoming and outgoing traffic. Define a list of required network services and for each of your servers, allow connections only to network ports that are associated with those services. If necessary, restrict the source address of the connection. All connections that are not explicitly allowed should be blocked.
Network security for private subnets and public IP addresses can be provided by:
- a cloud firewall — a stateful firewall for cloud servers. You can work with it in the control panel, via OpenStack CLI;
- basic firewall — stateless-firewall for dedicated servers. It can only be operated in the control panel.
You can also protect network connections at the specific server level. On Linux servers, we recommend using:
- Uncomplicated Firewall (UFW) — a tool for configuring a firewall. Developed for the Ubuntu distribution, but available for other distributions such as Debian. To configure the UFW utility, use the following instructions UFW Ubuntu documentation;
- firewalld — a firewall management system that is installed by default in distributions based on Red Hat Enterprise Linux, such as Fedora, CentOS, Alma Linux, Rocky Linux, and Oracle Linux. Learn more about customization in firewalld documentation and customization examples in the Fedora documentation.
When configuring a firewall, keep in mind that some ports originally intended for specific services can be used by attackers for hacking. For example, 21/TCP (FTP), 22/TCP (SSH), 23/TCP (Telnet), and 3389/TCP (RDP) are dangerous ports that are often subject to password mining and vulnerability exploitation attacks. To see the full list of such ports, see the table below Ports that are most often opened.
Ports that are most often opened
Network access to a Managed database cluster
In Managed databases, you can configure network access to the cluster. Only the cluster itself is available for users to work with — there is no access to the cluster nodes, as they are on the Servercore side. By default, in clusters with a public subnet, connection is allowed for all addresses with a login and password. In a cluster with a private subnet, connection to the cluster is allowed from the cluster subnet and from those subnets that are shared with the cluster subnet cloud router. You can restrict the list of addresses from which access to the database cluster will be allowed. See the instructions for more PostgreSQL, PostgreSQL for 1C, PostgreSQL TimescaleDB, MySQL semi-sync, MySQL sync, Redis and Kafka.
Web application security
To protect web applications at the application layer (L7), we recommend using specialized solutions — Web Application Firewall (WAF).
Among the free tools that perform WAF functions, the most popular and functional are:
DDoS protection
Servercore provides free infrastructure protection against DDoS attacks at the network and transport layers (L3-L4) — see the instructions for more Servercore Protection. Information about blocked attacks, network blocking, and blocked IP addresses can be found in the control panel under Network services → Network incidents. For more information on information that can be tracked, see Network incidents.
Network Attack Detection and Prevention (IPS)
To detect and prevent network attacks, we recommend using specialized solutions — Intrusion Prevention System (IPS).
Among the free tools that perform IPS functions, the most popular and functional are:
As a Host-based Intrusion Detection System (HIDS) we recommend using Wazuh.