Using a shared server for website hosting is not the era anymore, because Dedicated Servers or VPS are getting cheaper and more affordable. Take the service at Hetzner, dengan hanya € 3.90 (atau sekitar 60 ribuan rupiah) kita sudah bisa mendapatkan VPS dengan 1 CPU Core, 1 GB RAM, 25 GB SSD, 2 TB trafik. Atau dengan € 26.89 (atau sekitar 400 ribuan rupiah) kita bisa mendapatkan Dedicated Server dengan spesifikasi Intel Core i7-2600, 2×750 GB SATA, 16 GB RAM. Cukup murah bukan?
However, maybe the fear of attacks on the server is one of the obstacles for people choosing a shared server over a VPS / Dedicated Server. Though with Dome9 Cloud Security, server protection becomes easier and safer; it's free too!
What is Dome9 Cloud Security?
Dome9 is a management system firewall, removes the complexity of installing and managing a firewall on a server. Dome9 is very easy to install, even for those of you who are not very skilled at managing servers.
So what does a firewall do for servers? On all computers; both desktops, laptops and servers; both Windows, Linux and Mac; embedded firewall default. On desktop or laptop computers, firewalls function globally to block certain internet connections. But on the server, the firewall configuration will be more complex; there may be some traffic that you want to allow, or some ports you have open, some you want to block; Or you only want to allow certain IPs to access certain ports, and other complex configurations.
See the image below for an example of configuring a firewall using Dome9:
In the example diagram above, the firewall configuration is as follows:
- All traffic on ports 80 and 443 (HTTP and HTTPS) is opened on the server so that everyone can access our website.
- On port 22 for SSH access, only certain IPs can access it. For example cases on my servers, I only allow port 22 access through the VPN that I have previously deployed.
- As for ports other than 80, 443 and 22; connection closed.
With Dome9, we will easily apply the desired configuration easily to all servers. Imagine if without Dome9, you have to configure one by one every time you install a firewall. It's a waste of time, right?
How does Dome9 manage firewall on the server? Dome9 performs firewall management using agent. We have to install software agent first on our server so that Dome9 can perform management. Follow these steps.
Create an account at Dome9
Please create an account first at Dome9. For 14 days after registration, you will get enterprise service, after 14 days if you don't make a payment, you will automatically downgrade to the Dome9 Lite Cloud service. Don't worry, the free Dome9 Lite Cloud service is enough to manage a firewall on your server.
Install Dome9 on the server
After successfully creating an account, please login. Then select the "Protect" menu, and select "Install New Agent". Choose your server OS type, Windows or Linux.
Until I write this blog, Dome9 is compatible with Server OS:
- Windows 2012 | 8
- Windows 2008 R2 | 7
- Windows 2008 | Vista
- Windows 2003 (limited support)
- RHEL: Versions 5,6 and 7 (32/64 bit)
- CentOS: Versions 5,6 and 7 (32/64 bit)
- Ubuntu: 9.10 - 14.4 (32/64 bit)
- Debian: Version 6.7
- Amazon Linux AMI (32/64 bit)
- For Linux distributions not listed above, you will have to install tar.gz manually.
For the example below, I will install it agent Dome9 on the Debian server. I select the installation for Linux, in the column Security Groups can use the default configuration from Dome9, or just skip it and we will configure later. Then in the column Server name, fill in the name of the server that we will install, fill in any name you want. Next copy the command on the column Please log in to your Linux Server as root and run :. Copy and run it on your server (remember you must be logged in as
Creating Agent Security Groups
Agent Security Groups is the firewall configuration that we will apply to the server. To make Agent Security Groups, click the + icon on the Agent Security Groups page. Give it the desired name.
Like the diagram above before, I will only fully open the traffic on ports 80 & 443 (HTTP, HTTPS); open access port 22 (SSH) only for the VPN Server IP address; and block / close other ports. So my configuration is as follows:
NOTE: In the configuration above, I added a special policy, in order Cloudflare can access our website. For that in the column IP Whitelist, I added the MagicIP Cloudflare policy that was already available. If you don't use Cloudflare, you can delete this policy.
Implement Agent Security Groups to Server
Select the menu "Network Security" -> "Protected Assets". Then select the server to which we want to apply the policy we created earlier. Then click the "+ ATTACH" button and select the name Agent Security Groups, and click "ATTACH" (see image below). And automatically agent Dome9 will apply the policy on our server.
NOTE: If there are 2 policies, you can delete one of the policies, so that they don't overlap. But you cannot delete all policies, at least one policy must be set attach.
And we have finished installing "security guard" on our server :). If there is an attempt to attack our server (for example, SSH Brute Force Attack), Dome9 will automatically do it block or reject. Dome9 activity log can be viewed at syslog, or you can monitor & read files syslog easily use log management as Papertrail, which I will review in a future post.