Skip to main content

Security Services

There are four security services that's helping to protect your website security.

IPTables Service

The iptables and ip6tables services are the firewall software used to filter inbound and outbound connections routed through IPv4 and IPv6 connections.

Inbound Connection

Inbound connection is for incoming traffic from the internet. Certain ports are opened for variety of purposes:

  • 22 - SSH
  • 53 - DNS (TCP & UDP)
  • 80 - HTTP
  • 443 - HTTPS
  • 2443 - Webmin
  • 3306 - MySQL
  • 5432 - PostgreSQL
  • 32768:65535 - Ephemeral Ports (TCP only)

Ephemeral ports are only allowed to be used for local development inside the server. Other ports not listed are blocked.

Outbound Connection

Outbound connection is for outgoing internet connection from the server. It's allowed for all ports and protocols by default, except port 25, it's blocked to prevent SMTP / Email abuse. If you need to send emails, you can use a third-party email relay services that uses a more secure 587 port or via HTTP/REST API.

There are also additional measures to prevent abuse, by enabling firewall via the deployment system. It blocks all outbound connection except for sites that are whitelisted. It works by resolving all whitelisted sites to IP addresses and allow only those IP addresses to be accessed.

This firewall feature is permanently enabled for free users. For premium users it's opt-in and can be turned off at will. This feature is recommended to be used for installation of weakly secured servers like WordPress. To check if the feature is enabled, you can go to Check -> Firewall menu.

Fail2Ban Service

Fail2Ban is a service that block IPs automatically by detecting malicious attempts found from system logs in real time. It's implemented for all users and it's configured to listen for common internet attacks. The rules that's enabled are filtering:

  • WordPress : Login failures from /wp-login.
  • MariaDB : Login failures from MariaDB or PhpMyAdmin.
  • Webmin : Login failures from webmin login UI.
  • SSH : Login failures from SSH.

If login failures detected for three times with the same IP, that IP will be blocked from accessing the related service for 12 hours straight.

EarlyOOM Service

EarlyOOM is a service that prevents the whole system going offline when running out of memory.

Previously when there's too much application running at the same time, the whole server is freezes and struggles to keep responsive. When that happens we (the developer) usually reboot the services immediately as we can. That proven unreliable hence why this service installed.

DOM Cloud Bridge's Sudokill

Sudokill is a custom script designed for DOM Cloud. It kills unwanted processes that mostly being the result of someone trying to break our resource policy. It's implemented as a cron job that runs every 5 minutes.

It kills with SIGKILL when following criteria met:

  • It's a user process, not a root or a system daemon.
  • Running for longer than 3 hours, or:
    • Background processes
    • Detached from nginx/daemon/ssh
    • User doesn't have any active SSH session.