A firewall is like a security guard for your computer. Imagine your computer is a house, and it has lots of doors and windows—that's how it talks to the outside world, like the Internet. The firewall stands at those doors and windows to check everyone and everything trying to come in or go out. If it sees something it doesn't trust, like a stranger, it doesn't let them in (to keep your server safe).
A port in computing is like a specific door in that house where only certain kinds of information can go in or out. Just like a mailbox might be the place where all the mail goes, a specific port on a computer is where certain types of data are sent or received. This helps keep things organized and secure. A port is merely a number, agreed upon (in advance) by both the sender and receiver.
A Linux server will employ dozens (hundreds?) of ports. Some ports must be exposed to the public (like the mailbox). Most can be (and should be) hidden from the public to increase security. This is where the firewall comes in - it blocks public access to server ports - unless you tell it otherwise (using “rules”).
This is a basic explanation and introduction to the GB firewall recommendations when using CAS.
CAS does not automatically configure your firewall.
|
7741 is required for the gate service (20230801+),
legacy (deprecated) BATM communication with CAS, and
the port should be blocked after the BATM connects to CAS (with the latest firmware).
7742 and [13000 to 13010] is required by the Terminal VPN.
Allows VPN-protected BATM communications with CAS, so
allow when using the Terminal VPN.
7777 is required for insecure admin access
Initially used until the Administration VPN is configured, then disabled.
See below: unprotected ADMIN access
Block public port 7777 after enabling the Administration VPN.
[12000 through 12050] are also required for CAS Administration access via VPN.
See below: ADMIN access: secure
7743 is OPTIONAL - may be used by various extensions (Onfido, etc).
when in doubt, tighten security by keeping this port blocked. You can always turn it back on again later if necessary, but you can’t undo a security breach. Block it to be safe.
443 is OPTIONAL - may be used by nginx (or other web servers) when implementing a proxy server.
when forwarding port 7777 - is not recommended (block it), and is a security risk on a public server.
Block after enabling the Administration VPN: https://generalbytes.atlassian.net/l/cp/W0qvjkaT
Allow only if you use Veriff.
More: Terminal Security - protect your CAS from Terminal attacks CAS Admin - secure your Administration page via VPN Digital Ocean: How To Set Up a Firewall with UFW on Ubuntu 20.04 |
Two different methods of implementing the Ubuntu firewall are specified here. Please use UFW when possible. A default "clean" Ubuntu LTS server installation - as specified in GB documentation, will automatically permit all access to these ports. If the ports are already blocked, then something unexpected has been installed, and this falls outside the scope of our support.
In the interest of security, you should always employ a firewall on your CAS server.
UFW, or Uncomplicated FireWall, is a simplified firewall management interface. It controls “iptables” without the college degree. UFW is included (by default) with Ubuntu. These instructions will restrict access solely to your terminals and those people with whom you deliberately share access to CAS.
Check to see if UFW is enabled and running:
sudo ufw status |
If UFW is enabled and working, it will report the active rules of allowed connections to your server - otherwise you'll see something like this:
fresh/new systems will normally be inactive (unprotected).
If UFW is active, then this procedure will erase that previous configuration and rewrite the rules.
Reset & deny all incoming connections by default:
sudo ufw reset |
This will erase any/all previous UFW configuration.
Deny all public access to all ports:
sudo ufw default deny incoming |
Now we’re left to specify exceptions (the “rules”).
Allow incoming TCP connections on port 22 for SSH connections:
sudo ufw allow ssh |
For increased security, you might limit access to a specific IP:
sudo ufw allow from ALLOWED_IP to any port 22
replace ALLOWED_IP with the specific public IP to which you wish to grant access.
this security enhancement can lock you out of your server, proceed with caution - and make sure that the IP you are permitting is the correct one (and will be until you deliberately change it).
If your access IP changes (and you are locked out), you can still login to your Digital Ocean droplet and change the UFW settings - but that is outside the scope of GB Support. Contact Digital Ocean.
Terminals (v.20230801+) employing the VPN normally use only ports 7742, and 13000 through 13010.
Port 7741 may need to be exposed under certain conditions.
Port 7741 is only used for the initial connection to your CAS, e.g. when the BATM is brand new (or factory reset) and has never connected to your CAS before.
Digital Ocean droplets routinely use “eth0" as the public interface name.
Other hosts may vary, use ip a to see all available interfaces in that case.
Replace eth0 (on the relevant UFW line) with that name.
sudo ufw allow 7742/tcp sudo ufw allow in on eth0 from any to any proto tcp port 13000:13010 |
The port range 13000:13010 affords access to as many as 2000 Terminals.
If you are connecting a new BATM, you will need to temporarily expose port 7741:
sudo ufw allow 7741/tcp
After you’ve connected the BATM, remove the UFW exception with:
sudo ufw deny 7741/tcp
If you are connecting a new BATM, you will need to temporarily expose port 7741:
sudo ufw allow 7741/tcp
After you’ve connected the BATM, remove the UFW exception with:
sudo ufw deny 7741/tcp
Allow administrative access to CAS. Without this access, you cannot login to the CAS GUI.
Only one single Client (e.g. laptop, desktop, cell phone) credential may only be used at a time.
e.g. the laptop & cell phone cannot both be connected simultaneously,
UNLESS they use separate/different/unique sets of Client credentials.
Digital Ocean droplets routinely use “eth0" as the public interface name.
Other hosts may vary, use ip a to see all available interfaces in that case.
Replace eth0 (on the relevant UFW lines below) with that name.
Configure the firewall integrated admin VPN:
sudo ufw allow in on eth0 from any to any proto tcp port 12000:12050 sudo ufw allow in on tunU+ to any port 7777 proto tcp |
each user credential has its own VPN port and 12000:12050 permits access to 50 GUI users.
If you have a static IP on your home/office and won’t use the integrated VPN:
sudo ufw allow from ALLOWED_IP to any port 7777
Set ALLOWED_IP to your home/office PUBLIC IP.
Determine your current public IP with your browser; navigate to this website: My IP
In some cases the IP will change frequently, and you’ll have to go in frequently and update it.
If you use nginx as a proxy server, then change the port as follows:
sudo ufw allow from ALLOWED_IP to any port 443
This will expose your server to attack (and there’s little reason to even use a firewall in this case):
sudo ufw allow 7777/tcp
If you have a static IP on your home/office and won’t use the integrated VPN:
sudo ufw allow from ALLOWED_IP to any port 7777
Set ALLOWED_IP to your home/office PUBLIC IP.
Determine your current public IP with your browser; navigate to this website: My IP
In some cases the IP will change frequently, and you’ll have to go in frequently and update it.
If you use nginx as a proxy server, then change the port as follows:
sudo ufw allow from ALLOWED_IP to any port 443
This will expose your server to attack (and there’s little reason to even use a firewall in this case):
sudo ufw allow 7777/tcp
sudo ufw allow 7743/tcp |
Veriff: contact them to acquire their IP addresses, and
restrict this port to that range (if you only use Veriff):
sudo ufw allow from ALLOWED_IP to any port 7743
do not restrict the IP for this port (if allowed) when used for any extension except Veriff!
Lightning, Onfido, etc all require incoming traffic from a variety of unpredictable IP’s.
sudo ufw enable # final step (in the event that UFW was already enabled): sudo ufw reload |
If your system complied with your commands, you should now be protected by UFW. |
These are examples using the iptables command. This option is for experts that employ a custom firewall. UFW saves configurations, but iptables does not. You’ll have to implement your own deployment scheme. Do not use iptables (or proceed) unless you are willing to accept all involved risks.
If you aren't sure, then STOP and walk away. Hire a professional for assistance if you feel that you must use iptables for whatever reason.
This info is presented for expert users. The iptables is volatile - it will be erased after rebooting the system - and it will then permit all incoming access.
These rules must be entered in a precise order.
Digital Ocean droplets routinely use “eth0" as the public interface name.
Other hosts may vary, use ip a to see all available interfaces in that case.
Replace eth0 (on the relevant bash line) with that name.
sudo iptables -F INPUT sudo iptables -P INPUT ACCEPT sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT |
Assumes that port 22 is used for SSH.
Least secure: this option is the bare minimum to permit access (never recommended).
sudo iptables -A INPUT -p tcp --dport 7777 -j ACCEPT |
More secure: if your home/office router has a STATIC (unchanging) IP address, modify the rule to permit only access to that IP:
sudo iptables -A INPUT -p tcp -s ALLOWED_IP --dport 7777 -j ACCEPT |
Set ALLOWED_IP to your home/office PUBLIC router IP.
Navigate to this website: My IP on your browser to help you determine your router IP.
In some cases the IP will change frequently, and then you’ll have to update the configuration script.
You may repeat the line multiple times with different IP addresses.
Most secure: using the integrated OpenVPN connection:
sudo iptables -A INPUT -p tcp --match multiport --dports 12000:12100 -j ACCEPT |
If you need to reconnect a “lost” or new BATM/Terminal, you must grant it unsecured access:
sudo iptables -A INPUT -p tcp --dport 7741 -j ACCEPT |
DO NOT USE THIS RULE PERMANENTLY.
REMOVE THIS RULE DURING NORMAL USE.
sudo iptables -A INPUT -p tcp --dport 7742 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 7743 -j ACCEPT sudo iptables -A INPUT -p tcp --match multiport --dports 13000:13050 -j ACCEPT |
sudo iptables -I INPUT 1 -i lo -j ACCEPT sudo iptables -A INPUT -j DROP |
That’s it, the iptables are now configured (until you reboot).
When requested by Support, please forward the iptables in a ticket.
Enable UFW:
ufw enable |
List the firewall rules:
iptables -S |
Disable UFW again (if unusable):
ufw disable |
The content by label feature displays related articles automatically, based on labels you choose. To edit options for this feature, select the placeholder below and tap the pencil icon.
|