Renting a dedicated server, should I rent a physical firewall aswell?

Mahn asked:

I plan to rent a dedicated server to host a commercial application, which should house esentially everything necessary to run on a single machine (frontend, backend, databases, analytics, backup systems, etc) for the time being. This is indeed a simplistic infrastructure, but I don’t expect high amounts of traffic for now, so I believe it will suffice for the time being.

Now, I understand the same hour I put the server online I’m going to have malicious people trying to get root access to it, so obviously I would like to take care of this from day one. The question is, do I need a to rent a physical firewall, physical as in being a different machine, with this setting (which my provider offers, but at a cost of pretty much doubling the price), or will I be able to cover my ass with a software firewall (ie iptables and co), provided it is properly configured + I take as many “software” security measures/good practices as I can?

My networking/server administration experience is admittedly limited, but I’m very much willing and eager to learn as much as I’m able to manage the server/s on my own.

My answer:

You really don’t need a separate firewall for a single host; Linux iptables is more than sufficient to protect the server, and (if you run Red Hat/CentOS) will be on and reasonably secure by default.

The first thing you will want to do after the server is up is to make yourself a user account, and then secure ssh by denying root logins with a password. In /etc/ssh/sshd_config set either:

PermitRootLogin no


PermitRootLogin without-password

if you want to be able to login as root with ssh keys.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.