Many peoples still using IPTables or CSF as firewall in their Kloxo-MR server. Need it?.
2. Explanation:
- Port 21/22 already 'protect' by lxguard (built-in firewall in Kloxo/Kloxo-MR)
- Port 25/110/143/465/597/993/995 is not open-port (need login) and use/handle by qmail-toaster
- - Port 53 is DNS port and use/handle by DNS server
- Port 80/443 is http/https ports and use/handle web server. Nginx/hiawatha (that mean include in their -proxy) have 'ban' mechanism for prevent DDOS attack. For Apache alone need mod_security (or similar modules; need remove/disable if using nginx-/hiawatha-proxy)
- Port 336 is mysql port and better disable network with add 'skip-networking' or pointing to certain IP with'bind-address = 127.0.0.1'
- Port 7777/7778 is Kloxo/Kloxo-MR panel ports and not open-port (need login). Because using hiawatha for running also have 'ban' mechanism
3. In my decision:
- Always disable IPtables (except for routing purpose)
- Not install another firewall (like CSF)
OK, Mustafa, we understand. BUT, in my decision:
- Always enable IPtables
- Always install another firewall (like CSF)
HERE is Explanation:
- Port 21/22 already 'protect' by lxguard (built-in firewall in Kloxo/Kloxo-MR)
Yes and no. This is only partly true.
Lxguard does not protect "attempts" to login on Port 21 as well as 22 in diversity. An attempt to login on Port 21 as well as Port 22 for x times is allowed.
Further, it will require more time or resources, being mysql based, than firewalls, which are based on different platform other than mysql.
- Port 25/110/143/465/597/993/995 is not open-port (need login) and use/handle by qmail-toaster
Yes and no. This is only partly true. Ports 25/110/143/465/597/993/995 are open ports "to make attempts" for receiving and sending emails.
Anyone could make an attempt. As these ports are known to the world and open, they remain open to make attempts to use their function. The question is, thus, not "but Qmailtoaster can handle?" but "why should the Qmailtoaster handle?".
With csf, although spamdyke could capture a lot, Qmailtoaster _MUST_ not handle thousands of connections upon very effective and optimized configuration of csf. Without, it must as there may be authentic connections which spamdyke may allow them. This releives server resources.
Other connection qualities, on which csf is specialized on, like tracking of connections "even before login proccedure is invoked" or "attempts to connect" are not available in spamdyke.
Spamdyke specializes on parameters focused on properties of a connection to work good with MTA as against csf, which specialises on all ports, diversity, time, etc. Both domains of technology overlap, though, as well as their functional aspects.
- - Port 53 is DNS port and use/handle by DNS server
Yes and no. This is only partly true. Why should the Port 53 constantly remain under attack from idiots to allow make an attepmt of an update of a DNS zone, although it is handled by DNS server? So use csf to block attempts to update DNS zone files, which is not handled by a DNS server.
- Port 80/443 is http/https ports and use/handle web server. Nginx/hiawatha (that mean include in their -proxy) have 'ban' mechanism for prevent DDOS attack. For Apache alone need mod_security (or similar modules; need remove/disable if using nginx-/hiawatha-proxy)
Here, mod_security is much better than csf. I agree with you.
- Port 3306 is mysql port and better disable network with add 'skip-networking' or pointing to certain IP with'bind-address = 127.0.0.1'
Yes and no. This is only partly true. With skip-networking, many tools that connects mysql by first connectiong to SSH port WILL NOT WORK! You need to have it removed from my.conf. Here, bind-address = 127.0.0.1 allows making SSH tunnels, although skip-networking parameter does not exists.
- Port 7777/7778 is Kloxo/Kloxo-MR panel ports and not open-port (need login). Because using hiawatha for running also have 'ban' mechanism
Here, you are right. Changing Kloxo-MR port to a non-default and have Kloxo-MR lock itself or the offending Ip after x attempts would result in the same effect as in csf.
Overall you miss a very important point: Csf enhances extraordinary protection compared to protection available in Kloxo-MRas well as protects OVERALL way far beyond any other such tool and does releive resources.
If there is a change in spamdyke.conf, shadow, password, group files, or many other such reporting mechanisms, csf will immediately bark on those changes.
Kloxo-MR sleeps at this point leaving administrator to sleep further. And thats what we do not like.