Firewall configuration
- Firewall Configuration
This article details the necessary firewall configuration for a secure MediaWiki 1.40 installation. Properly configuring your firewall is critical for protecting your wiki from unauthorized access and malicious attacks. This guide assumes a basic understanding of networking and firewall concepts. We will cover essential ports, recommended rules, and common firewall software options.
== Understanding the Need for a Firewall
A firewall acts as a barrier between your MediaWiki server and the outside world. It examines incoming and outgoing network traffic based on predefined rules. By blocking unwanted traffic, a firewall significantly reduces the risk of security breaches. Without a properly configured firewall, your wiki is vulnerable to attacks such as SQL injection, cross-site scripting (XSS), and denial-of-service (DoS) attacks. It’s also essential for compliance with many security standards. Consider using a Web Application Firewall (WAF) for more advanced protection.
== Essential Ports
MediaWiki relies on several network ports for proper operation. These ports must be open in your firewall to allow legitimate traffic. Here’s a breakdown of the essential ports:
| Port | Protocol | Description |
|---|---|---|
| 80 | TCP | HTTP - Standard web traffic. Required if not using HTTPS. |
| 443 | TCP | HTTPS - Secure web traffic. Highly recommended for all wikis. Requires a SSL certificate. |
| 22 | TCP | SSH - Secure Shell. Used for remote server administration. Restrict access to trusted IPs. |
| 3306 | TCP | MySQL/MariaDB - Database server port. Only accessible from the MediaWiki server itself. |
| 53 | UDP/TCP | DNS - Domain Name System. Required for name resolution. |
- Important:** Limit SSH access (port 22) to specific IP addresses whenever possible. Exposing SSH to the public internet increases the risk of brute-force attacks.
== Recommended Firewall Rules
These rules provide a baseline for securing your MediaWiki installation. Adjust them based on your specific network environment and security requirements. These examples are for `iptables`, a common Linux firewall. Adapt the syntax for other firewall software like `firewalld` or cloud provider firewalls (AWS Security Groups, Azure Network Security Groups, Google Cloud Firewall Rules).
| Rule | Description |
|---|---|
| `iptables -A INPUT -p tcp --dport 80 -j ACCEPT` | Allows incoming HTTP traffic (port 80). |
| `iptables -A INPUT -p tcp --dport 443 -j ACCEPT` | Allows incoming HTTPS traffic (port 443). |
| `iptables -A INPUT -p tcp --dport 22 -s <Your IP Address> -j ACCEPT` | Allows incoming SSH traffic (port 22) *only* from your specified IP address. Replace `<Your IP Address>` with your actual IP. |
| `iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT` | Allows incoming MySQL/MariaDB traffic (port 3306) *only* from localhost. |
| `iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT` | Allows established and related connections. |
| `iptables -A INPUT -j DROP` | Drops all other incoming traffic. This is the default deny rule. |
- Explanation:** These rules follow a "default deny" approach. This means that all traffic is blocked unless explicitly allowed. The `RELATED,ESTABLISHED` rule is crucial for allowing responses to outbound connections. Ensure your database server is only accessible from the MediaWiki server itself.
== Common Firewall Software Options
Several firewall solutions are available, each with its own strengths and weaknesses. Here's a comparison of some popular options:
| Software | Operating System | Complexity | Features |
|---|---|---|---|
| iptables | Linux | High | Highly configurable, powerful, but requires significant knowledge. |
| firewalld | Linux | Medium | Easier to use than iptables, dynamic firewall management. |
| UFW (Uncomplicated Firewall) | Linux | Low | User-friendly interface for managing iptables. |
| Windows Firewall | Windows Server | Medium | Built-in firewall, adequate for basic protection. |
| Cloud Provider Firewalls (AWS Security Groups, Azure NSGs, GCP Firewall Rules) | Cloud Environments | Medium | Integrated with cloud infrastructure, scalable and flexible. |
Consider your operating system and technical expertise when choosing a firewall solution. For beginners, UFW or a cloud provider's firewall are good starting points. For more advanced users, iptables or firewalld offer greater control. Always consult the documentation for your chosen firewall software for detailed configuration instructions.
== Additional Security Considerations
- **Regularly Update Your Firewall:** Keep your firewall software up to date to protect against the latest security vulnerabilities.
- **Monitor Firewall Logs:** Regularly review your firewall logs for suspicious activity. Tools like Logwatch can help automate log analysis.
- **Intrusion Detection System (IDS):** Consider implementing an IDS like Snort or Suricata to detect and alert you to potential attacks.
- **Rate Limiting:** Implement rate limiting to prevent denial-of-service attacks.
- **Secure Your Database:** Ensure your MySQL/MariaDB server is properly secured with strong passwords and limited access. See the Database configuration article.
- **Regular Backups:** Maintain regular backups of your wiki and database. See Backup and Restore for details.
- **Keep MediaWiki Updated:** Update MediaWiki to the latest version to benefit from security patches and bug fixes. Refer to the Upgrading MediaWiki article.
Main Page Configuration Security Database configuration Upgrading MediaWiki SQL injection Cross-site scripting (XSS) Web Application Firewall (WAF) SSL certificate Logwatch Snort Suricata Denial-of-service attacks Backup and Restore Troubleshooting Help:Contents
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️