Should i disallow incoming traffic even there is no service to process it?

Hello,

If on a Linux server is running only two publicly available services, lets say an Apache web server and a SSH server, is it still important for denial of service attacks mitigation to still disallow all traffic that does not match these two services even there are no other public facing services? Or it does not matter? Can you shortly explain why it matter or why not?

Maybe in my layman point of view I am forgetting that Linux has more services/apps which can be affected by the incoming attack. For example I have found “chronyd is a daemon for synchronisation of the system clock.” listening on Debian (netstat -tulnp). Btw. is this netstat -tulnp command that shows me apps that potentially needs to be allowed in a firewall?

I would prefer to keep on default iptables policy ACCEPT while possibly just disallowing that chronyd incoming connections. I am using ACCEPT policy for years on more than one server.

Thank You

Hey,

Yes, you should block all incoming traffic that doesn’t match your allowed services, even if no other services are running.

I’m maybe old school but my networking teacher taught this rule of thumb:

Always deny all traffic and then only allow traffic you need.

I still follow this rule to this day and do not have any reason to stop doing so.

Here’s why:

  1. Reduce Attack Surface: Blocking all unnecessary traffic keeps your server safer by preventing attackers from flooding your network with junk traffic, even on ports with no services listening. This helps avoid slowdowns and resource exhaustion.

  2. Protect Background and Future Services: Blocking unnecessary traffic helps protect not only background services you might overlook (like chronyd for time sync) but also any new services that might be installed in the future. This way, you minimize the risk of exposure before you can secure them properly.

  3. Good Security Practice: Implementing a default block policy is just good security practice. It reduces the chances of issues from port scanning, misconfigurations, or adding new services without immediately updating firewall rules.

Hope this helps…

Lubos

Thank You, yet i have some layman doubts about your answers:

  1. … Blocking all unnecessary traffic keeps your server safer by preventing attackers from flooding your network with junk traffic

When that traffic already utilize my server uplink (connection with the internet) and goes to a port where is no service, how it can “flood” my network with junk traffic even more?

  1. true, that seems like an advantage

  2. there you or AI seems to be repeating the reason number 2. Otherwise I do not much understand what it practically means.

I think we may run in circles until we agree that there is a difference between blocked port by firewall and open port with no service listening. Consider the following example. I have run two nmap scans for port 80. In the first example the attacker scans while the port is blocked by firewall and the other while the port is unused but not blocked by firewall. Take a note of execution time and response:

When you block a port with a firewall, it looks to tools like Nmap that your server is down, making it harder for attackers to gather info. This scan takes longer because the firewall drops the traffic. If there’s no service listening on the port, Nmap sees the server is up and the port is just closed, and the scan is quicker. So, blocking ports with a firewall is better for security and resource management.

In terms of DoS attack, blocking a port with a firewall is much better for prevention because it stops unwanted traffic before it even reaches your server, saving your bandwidth and resources. This makes your server more secure and less likely to be overwhelmed by junk traffic.

1 Like

You’re right that if for example port 443 is open, an attacker can target it with a DoS attack. However, blocking other ports still helps because: Fewer open ports mean fewer ways for attackers to get in and It’s easier to watch and protect the important ports like 443. Also blocking unnecessary ports saves bandwidth and server power, helping your server cope better during an attack. So, while it doesn’t stop attacks on open ports, it makes your server more secure overall.

Look at this this way, what do you gain by not firewall block all ports and only allow ports that you need?