Many people who has server do not know about safety. They just run server and then bad hackers from internet come and steal everything. When you install Fedora Linux, the default setting is use public zone. Public zone is okay but it allow many thing like DHCP and SSH for everyone in the world. This is very dangerous because hacker can try many password until they get inside your system. We need to make the firewall super tight by drop all connection first, then we only open very small doors for what we need. This way is call drop by default and allow by exception. It is much more better for secure your home server or cloud VPS.
To start making your server safe, you need to follow these steps. First thing we must do is make sure firewalld is running on our system. Some system do not have it start automatically when computer boot up. If firewalld is not run, our server is naked to internet. We use systemctl command for make it start now and every time computer start.
sudo systemctl enable --now firewalld
This command have two parts. The enable part make it start when computer boot up. The –now part make it start right now so you do not need to restart your computer. If you do not do this, the firewall will not protect you now and if your server restart, the firewall will not turn on automatically.
Now we must change the default zone. Fedora has public zone as default. Public zone allow some connection, but we want drop zone. Drop zone is like a black hole. When hacker send packet to your server, the server just ignore it and do not send any reply back. The hacker will think your server is offline because no answer come. This is much better than reject because reject tell the hacker “hey I am here but you cannot come in”. Drop just keep silent.
sudo firewall-cmd --set-default-zone=drop
When you run this command, your terminal might get disconnect if you use SSH because we did not allow SSH yet! But do not worry, we will do it fast or we can do it before if you want to be very safe. In Fedora 44, it is good to set this but we must allow SSH immediately so we do not lose connection to our cloud server.
Because we change default zone to drop, now all connection is block. If you close your terminal, you can never login again! This is very bad. We must tell firewalld that SSH is allowed. SSH is the tool we use for control our server from far away. We use port 22 usually. Firewalld know what ssh service means, so we do not need to write port 22.
sudo firewall-cmd --permanent --zone=drop --add-service=ssh
We use –permanent flag here. This is very important. If you do not write –permanent, the setting will disappear when you restart firewalld or when computer reboot. With –permanent, the rule is save to the hard drive forever. We also say –zone=drop because we want this rule to apply inside our new drop zone.
When we write permanent rules, firewalld does not load them immediately into the active memory. It is like writing a draft. We must tell firewalld to read the draft and make it active. We do this with reload command.
sudo firewall-cmd --reload
After we reload, we must check if our settings is correct. We do not want to make mistake and get locked out. We use list-all command to see what is happen in our drop zone.
sudo firewall-cmd --list-all
When you run this, you will see output. It will show target is DROP. It will also show services list has ssh inside it. This mean everything else is blocked, but SSH is allowed. Your server is now much more safe than before because random people cannot scan your other ports.
Sometimes we have other services on our server, like database. For example, PostgreSQL database use port 5432. We do not want the whole internet to connect to our database because database has important data. But we want our application server which is in the same local network (LAN) to connect. We can use trusted zone for this. Trusted zone is zone where we trust everything from specific IP address.
Let say your local network IP range is 10.0.5.0/24. This mean all IP from 10.0.5.1 to 10.0.5.254. We will add this source network to trusted zone, and we also allow port 5432.
sudo firewall-cmd --permanent --zone=trusted --add-source=10.0.5.0/24
sudo firewall-cmd --permanent --zone=trusted --add-port=5432/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --get-active-zones
The first command say that any computer with IP in 10.0.5.0/24 is now part of trusted zone. The second command say we allow port 5432 for TCP traffic in trusted zone. Then we reload again to make it work. The last command –get-active-zones will show you which zone is active. You will see trusted zone is active for the source IP range we wrote. This is very good because only your local app server can talk to database, and bad guys from internet get dropped.
Even if we allow SSH, hackers can still try to guess your password. They use automated scripts that try thousand of passwords every minute. This is call brute force attack. It make your server CPU very busy and maybe they guess your password if it is weak. We can stop this by make a rule that limit how many times someone can try to connect to SSH.
We can use firewalld rich rules. Rich rules allow us to make more complex rules than just simple port opening. We will make rule that only allow 5 new SSH connections per minute. If hacker try more than 5 times, firewalld will block them.
sudo firewall-cmd --permanent --zone=drop --add-rich-rule='rule service name="ssh" accept limit value="5/m"'
sudo firewall-cmd --reload
Let look at this rich rule. It say rule service name=”ssh”. This mean the rule is for SSH service. Then it say accept limit value=”5/m”. This mean it accept the connection but only if it is less than 5 times per minute. If someone try 6 times in one minute, the sixth try is dropped. This is very good for humans because we do not need to login 5 times in one minute. But for hacker script, 5 times per minute is too slow, they will give up and go away.
If you want to be even more safe, you can combine this with tool call fail2ban. Fail2ban read your system logs and if it see someone try wrong password many times, it write a temporary firewalld rule to block that hacker IP completely. But rich rule in firewalld is very good first layer because it does not need any external software to run, it just work inside the Linux kernel.
Also, always remember to test your firewall settings in a new terminal window before you close your current connection. If you make mistake and lock yourself out, you will have big problem if your server is in cloud. You can open a second terminal and try to login with SSH. If it work, then your rules is good. If it does not work, you still have the first terminal open and you can fix the mistake.
Managing firewalld is not very hard but you must be careful. By changing default zone to drop, we make our server very quiet and safe from random internet scans. Only allowing SSH and using trusted zone for our database make sure that only correct people can connect. Rich rules help us stop brute force scripts from overload our system. This is easy steps but it save you from many headache in future.