What ports should be left open on a web server?
sounds about right, if you're serving https only, then that's the one that you need to leave open. however, only application started with a root account can listen to ports below 1024, so you have two options here:
- start your ruby app as root - not a good idea
- have it behind apache - might be better, but depends on what you want to do, this may be just an additional overhead
- run ruby app as other user on different port, say 8443 and have iptables to portforward requests from 443 to 8443 - this i guess is what you want to do
below is how you do port forwarding (you can do the same with 80 to 8080, for example):
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
other than that, there's no need to open any other ports to the internet, just make sure you leave ssh on the other interface open, so you can access and manage the server.
as for firewall application, iptables comes with ubuntu and just use it, no need for any other fancy tool i'd say.
You are right in that only ports 80/443 need to be exposed. Everything else should be closed. You will need your firewall to do a few things.
- Connection limit and rate limit. You want your firewall to be able to slow things down in the event of a DDoS attack or repeated attempts at port-knocking or things like that.
- Block all unnecessary out-going traffic. This can help in case your machine is compromised as most bots need to connect to a remote command-and-control server.
- Block all other incoming ports. You should really still block everything else, just in case an attacker manages to install some app and opens up a back-door port.
Those are some thoughts. I don't have any specific software recommendations though. Maybe reading LARTC might help.