Network security

Ports

Blocked ports

To secure Selectel infrastructure from malicious network activity, we restrict access to certain TCP/UDP ports. On edge routers at the edge of the Selectel Internet network, both incoming and outgoing traffic is blocked. There is an exception for TCP port 25 — only outgoing traffic is blocked to limit the sending of potentially malicious email. The list of blocked ports is available in the Blocked ports and Internet resources.

Ports that are most often opened

22/TCP (SSH)	Often subject to password mining attacks to connect to the server
3389/TCP (RDP)	Often attacked due to weak passwords and system vulnerabilities
5900/TCP (VNC)	Often attacked due to weak passwords
80/TCP (HTTP)	Due to unencrypted data transmission, data is easily intercepted. Often exposed to web application attacks, such as XSS or SQL injection attacks
443/TCP (HTTPS)	Despite data encryption, there may be vulnerabilities in SSL/TLS that could lead to data interception by attackers. Often exposed to web application attacks, such as XSS or SQL injection attacks
21/TCP (FTP)	Due to unencrypted data transmission, data is easily intercepted
23/TCP (Telnet)	Due to unencrypted data transmission, data is easily intercepted
445/TCP (SMB)	Used by attackers to spread malware
3306/TCP (MySQL)	Open access to MySQL can lead to data leaks
5432/TCP (PostgreSQL)	Open access to PostgreSQL can lead to data leaks

Firewalling

Basic network protection

To protect your system, limit incoming and outgoing traffic. Define a list of required network services and for each of your servers, allow connections only to network ports associated with those services. If necessary, restrict the source address of the connection. All connections that are not explicitly allowed should be blocked.

Network security for private subnets and public IP addresses can be provided by:

Cloud Firewall — a stateful firewall for cloud servers. You can manage it in the control panel, via OpenStack CLI, or Terraform;
basic firewall — a stateless firewall for dedicated servers. It can only be managed in the control panel.

Security groups in the cloud platform

Using security groups you can configure filtering rules for all traffic passing through a cloud server port.

Advanced protection

NGFW (Next Generation Firewall) generation firewalls analyze traffic to protect the network perimeter and have the following capabilities:

IPS/IDS — an intrusion detection and prevention system;
proxy — a mode that allows you to manage user access to the internet from the corporate network according to a role-based access control model;
reverse proxy — a mode that allows you to safely publish internal company resources to the internet.

Selectel provides software-based and hardware firewalls, including FSTEC-certified ones. For example, the UserGate firewall has an FSTEC certificate. Certified firewalls have additional options, such as L7 filtering — this is deep packet inspection at the L7 level of the OSI network model, which includes application control, SSL decryption, URL filtering, and more. These options are provided as subscriptions in addition to the main license.

Basic firewall functionality includes two types of VPN (Virtual Private Network):

site-to-site VPN — allows you to organize a tunnel between offices and branches of one company or to a partner's network for secure data exchange;
client-to-site VPN — allows you to organize secure remote access to corporate services and data via the internet.

GOST-VPN service

You can organize a secure channel with your network or a partner's network using the GOST-VPN service. Channel encryption is performed using GOST algorithms. We will configure a certified ViPNet Coordinator hardware crypto-gateway on the Selectel infrastructure side and handle its administration. An important requirement is the presence of a ViPNet network on the side of your infrastructure or your partner's infrastructure.

Network Attack Detection and Prevention (IPS)

To detect and prevent network attacks, we recommend using specialized solutions — Intrusion Prevention System (IPS).

The IPS module is available in the following firewalls:

Selectel;
UserGate.

Among the free tools that perform IPS functions, the most popular and functional are:

As a Host-based Intrusion Detection System (HIDS), we recommend using Wazuh.

Server-level network protection

You can also protect network connections at the specific server level. On Linux servers, we recommend using:

Secret Net LSP and Secret Net Studio are FSTEC-certified security tools for Linux and Windows operating systems that protect virtual and physical servers from unauthorized access and network attacks on the host;
Uncomplicated Firewall (UFW) — a tool for configuring a firewall. It was developed for the Ubuntu distribution but is also available for other distributions, such as Debian;
firewalld — a firewall management system that is installed by default in distributions based on Red Hat Enterprise Linux, such as Fedora, CentOS, Alma Linux, Rocky Linux, and Oracle Linux. Learn more about customization in the firewalld documentation and see setup examples in the Fedora documentation.

When configuring a firewall, keep in mind that some ports originally intended for specific services can be used by attackers for hacking. For example, 21/TCP (FTP), 22/TCP (SSH), 23/TCP (Telnet), and 3389/TCP (RDP) are dangerous ports as they are often subject to password mining and vulnerability exploitation attacks. To see the full list of such ports, see the table Ports that are most often opened.

Network access to a Managed Database cluster

In Managed Databases, you can configure network access to the cluster. Users can only access the cluster itself — there is no access to the cluster nodes, as they are on the Selectel side. By default, in clusters with a public subnet, connection is allowed for all addresses with a login and password. In a cluster with a private subnet, connections are allowed from the cluster subnet and from those subnets that are connected to the cluster subnet by a cloud router. You can limit the list of addresses from which access to the database cluster will be allowed. For more information, see the instructions for PostgreSQL, PostgreSQL for 1C, PostgreSQL TimescaleDB, MySQL semi-sync, MySQL sync, Redis and Kafka.

DDoS protection

Selectel provides basic free protection against DDoS attacks at the network and transport layers (L3-L4) — see Selectel DDoS Protection for details. Information about blocked attacks, network blocks, and blocked IP addresses is available in the control panel under Products → Network Incidents. For more information about trackable data, see Network Incidents.

Solutions from our partners are also available, which implement advanced protection against DDoS attacks at L3-L4 and L7 levels:

Web application security

To protect web applications at the application layer (L7), we recommend using specialized solutions — Web Application Firewall (WAF).

Selectel provides several solutions for protecting web applications using WAF:

a partner solution Curator;
a certified SolidWall WAF Professional — we provide it as a license, and the client performs administration independently.

Among the free tools that perform WAF functions, the most popular and functional are:

CrowdSec;
open-appsec.