Modern servers are constantly under attack from hackers or automated scripts that search for any vulnerability as soon as it is revealed.
These attacks typically come from a wide range of IP addresses from all over the world, making it practically impossible to block all of them separately.
No server can ever be completely safe from attacks, despite having the best available protections in place and a very strict patching schedule.
There are however many ways to greatly increase server security and decrease the risk of intrusion to a minimum. One of the most effective is to restrict server access to a small list of whitelisted IPs.

How to block external connections

There are several methods to filter connection by their IP address, the most common being the use of hardware or software firewalls.
Hardware firewalls are very effective but also quite expensive, since they are designed to protect entire networks. We won’t discuss them in this article that focuses on software firewalls, which are available as both paid and open source versions.
Modern cloud platforms also offer an external network firewall service that can be tweaked directly from their online platform.
Every Linux operating system includes at least a basic firewall, usually either the old iptables or the new nftables framework. These are sometimes enabled by default but tend to be difficult to configure and maintain.
Most distributions also come with a more user-friendly firewall, which operates on top of the basic one without requiring extensive knowledge from the user. Examples include firewalld (found in RHEL and CentOS derivatives) or ufw (installed in distributions from the Ubuntu family).
However, even more advanced firewalls are available, such as the very popular CSF, which has the additional advantage that it can be installed as a plugin in the WHM interface.
There are also applications developed to protect only certain applications, for example CPHulk that prevents attacks against a number of cPanel services.
All of these firewalls share the same basic rule: except for a number of user-whitelisted IPs and ports, all the others are blocked. It goes without saying that only the server administrator should have the right to change firewall settings.

When to whitelist IPs

If no IP addresses are whitelisted, external connections to the server are not possible. Since you don’t want to be locked out of your own machine, you can start by whitelisting your own IPs.
However, whitelisting IPs is only effective as long as they remain static. If your IP is dynamic or you often connect from external locations, allowing connections from a large number of addresses can be a significant security risk.
In this case, a much better option is to connect through a virtual private network, and only whitelist the static IP of the VPN server.
Some services, such as the web server, have to be open for external connections. In this case, the best practice is to whitelist the port used by the service. Keep in mind that you can configure your firewall to reject requests from particular countries, if they are the origin of frequent attacks.
External partners and providers might also need to connect to the server, or just some of its services.

Whitelisting best practices

In order to make a server more secure, the number of whitelisted IPs must be as low as possible. Only allow an IP if there is a very solid reason, and delete it from the list once it is no longer needed.
Most firewalls support temporary whitelists, which can be very useful. Let’s say that a developer needs to work on your server for two weeks, you can temporarily whitelist his IP for this period and it will be automatically removed when its duration expires.
It is also possible to allow specific combinations of IPs and ports. If somebody has to use your mail server for example, it is possible to whitelist his IP only for those ports, since there is no need for a general whitelist. This is also the case for certain external applications that only connect to a specific port.
Region-based rules can also be very effective in some cases. For example, if an online store only sells its products in certain countries, you should only whitelist IPs from those locations and block all others.
Another best practice is to regularly check the whitelist, just in case some IPs have been forgotten in there. To avoid confusion, you can make a brief note every time you allow an IP, so you can remember the reason later.

IP whitelisting and blacklisting can be a very powerful security tool in the ongoing fight against malware and other threats.
However, both whitelisting and blacklisting can be dangerous, if they are not done right. Follow the advices in our article in order to use whitelisting in the most effective way.