How to configure/lock down linux for EFA 5?

[kidtriton]

I've been running three EFA 4 servers for many years and want to build out EFA 5 and migrate over. In the past, I've deployed the VM with the OS already installed and configured. I'm no Linux guru by any means and don't see documentation on what to do between a fresh install of Linux, running the EFA installer, and going live. Are there firewall rules to set up in the Linux OS that the EFA install doesn't take care of? Or are all the network adapter and firewall settings modified and set up with the installation script? I'm just worried I'll leave the system vulnerable since I'm not familiar with Linux security exposed to the web. I've been reading that most folks are using Rocky or Alma.

[shawniverson]

Firewall rules are setup as part of installation. You can view them after you install and configure the box firewall-cmd if you need more customization. By default port 22/tcp (ssh) 25/tcp (smtp) , 80/tcp (http), 443/tcp (https), 587/tcp (submission), and 10000/tcp (if using webmin) are open.

You can also enable Fail2Ban with eFa-Configure to protect against attacks on ssh and http/https.

[kidtriton]

Awesome, thanks for the quick reply! So basically install Linux, run the installation and configuration and it's ready to face the web?

[shawniverson]

Generally, yes. Many folks like to restrict the web and ssh further by limiting them to just their own networks, which I encourage. To do so you need to remove them as services in FirewallD using firewall-cmd and add rich rules instead that restrict via source IP or range.