With RunCloud, every unused port is automatically closed from outside access. The only ports opened are 22/tcp (SSH), 80/tcp (HTTP), 443/tcp (HTTPS), 34210/tcp (RunCloud Communication Port). We are using FirewallD as the firewall and Fail2Ban to block unauthorized attempts to access your server.
The RunCloud server has been configured to block attempts to access your server using Fail2Ban. However, there is no control inside our panel.
For SSH, any 5 attempts to access your server using SSH in 10 minute intervals will result in blocking the IP address depending on bantime value inside /etc/fail2ban/jail.local.
For RunCloud Agent (port 34210), any 2 attempts to access your server's agent without valid serverID and serverKey will be blocked depending on bantime value inside /etc/fail2ban/jail.local.
Blocking with Fail2Ban will only block the desired port. Blocked IP addresses can still access your website as usual.
If you need to know more about FirewallD, please refer to their documentation. However you don't need to know how to setup the firewall because we have already configured the firewall for your server.
When adding a new firewall rule, you can globally open the port for the outside world to access your server. Globally open port rules only require two arguments:
| Form Field | Justification |
|---|---|
| Port | The port that you want to globally open to the world |
| Protocol | The protocol either TCP or UDP |
To accept both TCP and UDP for the same port, add new rule again with the desired protocol.
When using rich rule, you can specify to accept or to reject an IP Address or CIDR. Rich rule require four arguments:
| Form Field | Justification |
|---|---|
| Port | The port that you want to globally open to the world |
| Protocol | The protocol either TCP or UDP |
| IP Address | IP address or CIDR to accept/reject |
| Action | Action to perform to the IP Address/CIDR |
To accept/block both TCP and UDP for the same port, add same rule again with the desired protocol.
After you have added the global open port or rich rule, the firewall is not yet deployed to your server. You have to click deploy firewall button to deploy your firewall. After that, your server will use new firewall rules that you have configured.
You will be able to unblock any banned IP Address for the SSH port. If you accidentally block yourself, you can always login to the RunCloud Panel and remove your IP Address from the block list. After you have done that, you will be able to SSH inside your server as normal. Pro tip: use SSH key.