Configuring Server Firewalls

A firewall is like a security guard for your computer. Imagine your computer is a house, and it has lots of doors and windows—that's how it talks to the outside world, like the Internet. The firewall stands at those doors and windows to check everyone and everything trying to come in or go out. If it sees something it doesn't trust, like a stranger, it doesn't let them in (to keep your server safe).

A port in computing is like a specific door in that house where only certain kinds of information can go in or out. Just like a mailbox might be the place where all the mail goes, a specific port on a computer is where certain types of data are sent or received. This helps keep things organized and secure. A port is merely a number, agreed upon (in advance) by both the sender and receiver.

A Linux server will employ dozens (hundreds?) of ports. Some ports must be exposed to the public (like the mailbox). Most can be (and should be) hidden from the public to increase security. This is where the firewall comes in - it blocks public access to server ports - unless you tell it otherwise (using “rules”).

This is a basic explanation and introduction to the GB firewall recommendations when using CAS.

CAS does not automatically configure your firewall.

Incoming TCP ports required by CAS (reference):

7741 is required for the gate service (20230801+),

  • legacy (deprecated) BATM communication with CAS, and

  • the port should be blocked after the BATM connects to CAS (with the latest firmware).

7742 and [13000 to 13010] is required by the Terminal VPN.

  • Allows VPN-protected BATM communications with CAS, so

  • allow when using the Terminal VPN.

7777 is required for insecure admin access

  • Initially used until the Administration VPN is configured, then disabled.

  • See below: unprotected ADMIN access

  • Block public port 7777 after enabling the Administration VPN.

[12000 through 12050] are also required for CAS Administration access via VPN.

7743 is OPTIONAL - may be used by various extensions (Onfido, etc).

  • when in doubt, tighten security by keeping this port blocked. You can always turn it back on again later if necessary, but you can’t undo a security breach. Block it to be safe.

443 is OPTIONAL - may be used by nginx (or other web servers) when implementing a proxy server.


Two different methods of implementing the Ubuntu firewall are specified here. Please use UFW when possible. A default "clean" Ubuntu LTS server installation - as specified in GB documentation, will automatically permit all access to these ports. If the ports are already blocked, then something unexpected has been installed, and this falls outside the scope of our support.

In the interest of security, you should always employ a firewall on your CAS server.


Option 1 (Easiest): Configure UFW

UFW, or Uncomplicated FireWall, is a simplified firewall management interface. It controls “iptables” without the college degree. UFW is included (by default) with Ubuntu. These instructions will restrict access solely to your terminals and those people with whom you deliberately share access to CAS.

Check to see if UFW is enabled and running:

sudo ufw status

If UFW is enabled and working, it will report the active rules of allowed connections to your server - otherwise you'll see something like this:

  • fresh/new systems will normally be inactive (unprotected).

If UFW is active, then this procedure will erase that previous configuration and rewrite the rules.


1. Initialize UFW

Reset & deny all incoming connections by default:

sudo ufw reset
  • This will erase any/all previous UFW configuration.

Deny all public access to all ports:

sudo ufw default deny incoming
  • Now we’re left to specify exceptions (the “rules”).


2. SSH

Allow incoming TCP connections on port 22 for SSH connections:

For increased security, you might limit access to a specific IP:

  • sudo ufw allow from ALLOWED_IP to any port 22

  • replace ALLOWED_IP with the specific public IP to which you wish to grant access.

  • this security enhancement can lock you out of your server, proceed with caution - and make sure that the IP you are permitting is the correct one (and will be until you deliberately change it).

  • If your access IP changes (and you are locked out), you can still login to your Digital Ocean droplet and change the UFW settings - but that is outside the scope of GB Support. Contact Digital Ocean.


3. BATM/Terminals

Terminals (v.20230801+) employing the VPN normally use only ports 7742, and 13000 through 13010.

  • Port 7741 may need to be exposed under certain conditions.

    • Port 7741 is only used for the initial connection to your CAS, e.g. when the BATM is brand new (or factory reset) and has never connected to your CAS before.

  • Digital Ocean droplets routinely use “eth0" as the public interface name.

    • Other hosts may vary, use ip a to see all available interfaces in that case.

    • Replace eth0 (on the relevant UFW line) with that name.

Terminal VPN rules:

  • The port range 13000:13010 affords access to as many as 2000 Terminals.

First-time connection to CAS

If you are connecting a new BATM, you will need to temporarily expose port 7741:

sudo ufw allow 7741/tcp

After you’ve connected the BATM, remove the UFW exception with:

sudo ufw deny 7741/tcp


4. Administrative Access

Allow administrative access to CAS. Without this access, you cannot login to the CAS GUI.

  • Only one single Client (e.g. laptop, desktop, cell phone) credential may only be used at a time.

    • e.g. the laptop & cell phone cannot both be connected simultaneously,

    • UNLESS they use separate/different/unique sets of Client credentials.

  • Digital Ocean droplets routinely use “eth0" as the public interface name.

    • Other hosts may vary, use ip a to see all available interfaces in that case.

    • Replace eth0 (on the relevant UFW lines below) with that name.

Secure admin rules:

  1. Configure the firewall integrated admin VPN:

  • each user credential has its own VPN port and 12000:12050 permits access to 50 GUI users.


(Optional) Allow incoming TCP connections on port 7743 for extensions:

  • Veriff: contact them to acquire their IP addresses, and

    • restrict this port to that range (if you only use Veriff):

    • sudo ufw allow from ALLOWED_IP to any port 7743

  • do not restrict the IP for this port (if allowed) when used for any extension except Veriff!

    • Lightning, Onfido, etc all require incoming traffic from a variety of unpredictable IP’s.


Finally, enable/reload UFW to enforce the new rules:

Option 2: iptables

These are examples using the iptables command. This option is for experts that employ a custom firewall. UFW saves configurations, but iptables does not. You’ll have to implement your own deployment scheme. Do not use iptables (or proceed) unless you are willing to accept all involved risks.

  • If you aren't sure, then STOP and walk away. Hire a professional for assistance if you feel that you must use iptables for whatever reason.

  • This info is presented for expert users. The iptables is volatile - it will be erased after rebooting the system - and it will then permit all incoming access.

  • These rules must be entered in a precise order.

Digital Ocean droplets routinely use “eth0" as the public interface name.

  • Other hosts may vary, use ip a to see all available interfaces in that case.

  • Replace eth0 (on the relevant bash line) with that name.

Default/initial iptables entries:

  • Assumes that port 22 is used for SSH.

Permit admin access using one of the following options:

Least secure: this option is the bare minimum to permit access (never recommended).

More secure: if your home/office router has a STATIC (unchanging) IP address, modify the rule to permit only access to that IP:

  • Set ALLOWED_IP to your home/office PUBLIC router IP.

    • Navigate to this website: My IP on your browser to help you determine your router IP.

    • In some cases the IP will change frequently, and then you’ll have to update the configuration script.

    • You may repeat the line multiple times with different IP addresses.

Most secure: using the integrated OpenVPN connection:

Permit unsecured Terminal access:

If you need to reconnect a “lost” or new BATM/Terminal, you must grant it unsecured access:

  • DO NOT USE THIS RULE PERMANENTLY.

  • REMOVE THIS RULE DURING NORMAL USE.

Permit Terminal VPN & Extension access

Finally: block everything else:

 

That’s it, the iptables are now configured (until you reboot).


Troubleshooting

When requested by Support, please forward the iptables in a ticket.

Enable UFW:

List the firewall rules:

Disable UFW again (if unusable):

 


 

Copyright © 2020-2024 General Bytes USA LLC