Firewall rules
- Firewall Rules
This article details firewall configuration best practices for a MediaWiki 1.40 installation, aiming to provide a secure environment for your wiki. Properly configured firewall rules are crucial for protecting your wiki from unauthorized access and malicious attacks. This guide assumes a basic understanding of networking concepts.
Understanding the Need for a Firewall
A firewall acts as a barrier between your MediaWiki server and the outside world. It examines network traffic and blocks any connections that do not meet your defined security rules. Without a firewall, your server is vulnerable to a wide range of threats, including Brute force attacks, SQL injection, and Cross-site scripting. Effective firewall configuration is a fundamental aspect of Server security.
Common Firewall Technologies
Several firewall technologies can be used to protect your MediaWiki server. The most common include:
- iptables: A powerful, flexible firewall included with most Linux distributions.
- ufw: A user-friendly front-end for iptables, simplifying rule management.
- firewalld: A dynamic firewall manager, often used with systemd-based distributions.
- Cloud Provider Firewalls: If your wiki is hosted in the cloud (e.g., AWS, Azure, Google Cloud), utilize their built-in firewall services (Security Groups, Network Security Groups, Firewall Rules). These offer an additional layer of defense.
This article will focus on concepts applicable to all firewalls, illustrating with examples suitable for iptables/ufw. Always consult the documentation for your specific firewall technology.
Essential Firewall Rules for MediaWiki
The following rules are essential for securing a standard MediaWiki installation. Adjust ports based on your specific configuration. Consider using a Reverse proxy like Nginx or Apache in front of MediaWiki; this can simplify firewall rules and add security benefits.
Basic Inbound Rules
These rules allow necessary traffic *to* your server.
| Port | Protocol | Source | Description |
|---|---|---|---|
| 80 | TCP | Any | HTTP access (if not using HTTPS) |
| 443 | TCP | Any | HTTPS access (recommended - always use HTTPS) |
| 22 | TCP | Restricted IP(s) | SSH access (limit to trusted IPs only! Consider using Key-based authentication instead of passwords.) |
| 3306 | TCP | MediaWiki Server IP | MySQL/MariaDB access (only allow connections from the MediaWiki server itself.) |
Important Note: Always restrict SSH access (port 22) to only the IP addresses you will be connecting from. Exposing SSH to the internet is a significant security risk.
Basic Outbound Rules
These rules control traffic *from* your server. Generally, outbound rules are less restrictive than inbound rules, but you should still consider limiting unnecessary traffic.
| Port | Protocol | Destination | Description |
|---|---|---|---|
| 80 | TCP | Any | HTTP access for updates and extensions |
| 443 | TCP | Any | HTTPS access for updates and extensions |
| 53 | UDP | DNS Servers | DNS resolution |
Advanced Rules
These rules provide additional security layers.
| Rule Type | Description |
|---|---|
| Rate Limiting | Limit the number of connections from a single IP address to prevent Denial-of-service attacks. |
| Geo-Blocking | Block traffic from countries where you do not expect legitimate users to originate. Use with caution, as legitimate users may be affected. |
| Connection Tracking | Monitor established connections to identify suspicious activity. |
Example iptables Rules (Simplified)
These are illustrative examples. Adapt them to your specific environment.
```
- Allow SSH from a specific IP address
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT
- Allow HTTP and HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT
- Allow traffic from the MediaWiki server to the database server
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3306 -j ACCEPT
- Drop all other incoming traffic
iptables -A INPUT -j DROP
- Allow all outbound traffic
iptables -A OUTPUT -j ACCEPT ```
- Remember to save your iptables rules!** The method for saving rules varies depending on your distribution.
Testing and Monitoring
After configuring your firewall, it's crucial to test its functionality. Verify that you can still access your wiki from authorized locations. Use tools like `nmap` to scan your server for open ports and identify potential vulnerabilities. Regularly review your firewall logs to detect and respond to suspicious activity. Consider setting up Intrusion detection systems for more advanced monitoring. Also, ensure Regular backups are enabled in case of an incident.
Resources
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️