Skip to main content
Network security
Last update:

Network security

Ports

Blocked ports

To protect the Selectel infrastructure from malicious network activity, we restrict access to certain TCP/UDP ports.On the edge routers at the edge of the Selectel Internet network, both inbound and outbound traffic is blocked.An exception applies to TCP port 25 — only outbound traffic is blocked to limit potentially malicious email.A list of blocked ports can be found in the Blocked Ports instruction.

Ports that are most often opened

22/TCP (SSH)Often subject to password mining attacks to connect to the server
3389/TCP (RDP)Often attacked due to weak passwords and system vulnerabilities
5900/TCP (VNC)Often attacked due to weak passwords
80/TCP (HTTP)Because of unencrypted data transmission, data is easily intercepted.
Often subject to web application attacks, for example using XSS or SQL injections
443/TCP (HTTPS)Despite data encryption, there may be vulnerabilities in SSL/TLS that could lead to data interception by attackers.
Often exposed to web application attacks, such as XSS or SQL injection attacks
21/TCP (FTP)Due to unencrypted data transmission, data is easily intercepted
23/TCP (Telnet)Due to unencrypted data transmission, data is easily intercepted
445/TCP (SMB)Used by attackers to spread malware
3306/TCP (MySQL)Open access to MySQL can lead to data leaks
5432/TCP (PostgreSQL)Open access to PostgreSQL can lead to data leaks

Firewalling

Basic network protection

To protect the system, restrict inbound and outbound traffic.Define a list of required network services and for each of your servers, allow connections only to network ports that are associated with those services.If necessary, restrict the source address of the connection.All connections that are not explicitly allowed should be blocked.

Network security for private subnets and public IP addresses can be provided by:

Security teams in the cloud platform

With security groups, you can configure rules to filter all traffic that passes through the cloud server port.

Advanced Defense

Next Generation Firewalls NGFW (Next Generation Firewall) firewalls analyze traffic to protect the network perimeter and have the following features:

  • IPS/IDS is an intrusion detection and prevention system;
  • proxy — a mode that allows you to control user access to the Internet from the corporate network according to the role model of access rights;
  • reverse-proxy — a mode that allows you to securely publish internal company resources to the Internet.

Selectel provides software and hardware firewalls, including those certified by FSTEC. For example, the UserGate firewall is FSTEC certified. Certified firewalls have additional options, such as L7 filtering, which is a deep analysis of traffic at the L7 level of the OSI network model that includes application control, SSL decryption, URL filtering, and more. These options are provided as subscriptions in addition to the basic license.

The basic functionality of firewalls includes VPN (Virtual Private Network) of two types:

  • site-to-site VPN — allows you to organize a tunnel between offices and branches of one company or up to a network of partners for secure data exchange;
  • client-to-site VPN — allows you to organize secure remote access via the Internet to corporate services and data.

GOST-VPN service

You can organize a secure channel with your network or your partner's network using the GOST-VPN service. The channel is encrypted using GOST algorithms.We will configure a certified hardware crypto gateway ViPNet Coordinator on the infrastructure side in Selectel and take care of its administration.It is important to have a ViPNet network on your or your partner's infrastructure side.

Network Attack Detection and Prevention (IPS)

To detect and prevent network attacks, we recommend using specialized solutions — Intrusion Prevention System (IPS).

The IPS module is presented in firewalls:

Among the free tools that perform IPS functions, the most popular and functional are:

We recommend using Wazuh as the Host-based Intrusion Detection System (HIDS).

Server-level network protection

You can also protect network connections at the server-specific level.On servers running OC Linux we recommend using:

  • Secret Net LSP и Secret Net Studio — FSTEC-certified security tools for Linux and Windows operating systems that protect virtual and physical servers from unauthorized access and network attacks on the host;
  • Uncomplicated Firewall (UFW) — is a tool for customizing a firewall. It was developed for the Ubuntu distribution, but is available for other distributions such as Debian. To configure the UFW tool, use the following instructions UFW Ubuntu documentation;
  • firewalld — a firewall management system that is installed by default in distributions based on Red Hat Enterprise Linux, such as Fedora, CentOS, Alma Linux, Rocky Linux, and Oracle Linux. For more information on configuring it, see the firewalld documentation and configuration examples in the Fedora documentation.

When configuring a firewall, keep in mind that some ports originally intended for specific services can be used by attackers for hacking.For example, 21/TCP (FTP), 22/TCP (SSH), 23/TCP (Telnet), and 3389/TCP (RDP) are dangerous ports that are often subject to password mining attacks and vulnerability exploitation.To see a complete list of these ports, see the Ports Most Often Opened table.

Network access to a cloud database cluster

In cloud databases, you can configure network access to the cluster.Users can only access the cluster itself — there is no access to the cluster nodes, as they are on the Selectel side.By default, in clusters with a public subnet, connection is allowed for all addresses with a login and password.In a cluster with a private subnet, connections are allowed from the cluster subnet and from those subnets that are connected to the cluster subnet by the cloud router.You can limit the list of addresses from which access to the database cluster will be allowed.For more information, see PostgreSQL, PostgreSQL for 1C, PostgreSQL TimescaleDB, MySQL semi-sync, MySQL sync, Redis and Kafka.

DDoS protection

Selectel provides basic free infrastructure protection against DDoS attacks at the network and transport layers (L3-L4) — more information in the Selectel Protection manual .Information about blocked attacks, network blocking and blocked IP addresses can be viewed in the control panel under ProductsNetwork Incidents.For more information about the information that can be tracked, see the Network Incidents section.

Also available are solutions from our partners that implement advanced protection against DDoS attacks at L3-L4 and L7 levels:

Web application security

To protect web applications at the application layer (L7), we recommend using specialized solutions — Web Application Firewall (WAF).

Selectel provides several solutions for securing web applications with WAFs:

  • Curator partner solution;
  • StormWall partner solution;
  • certified SolidWall WAF Professional — we provide it as a license, the client administers it himself.

Among the free tools that perform WAF functions, the most popular and functional are: