With Hong Kong cloud servers widely used in cross-border business, overseas website hosting, cross-border e-commerce, and application acceleration nodes, network security has become a critical factor affecting business stability. As attack methods continue to evolve, especially with the increasing prevalence of port scans, brute-force attacks, malicious requests, and DDoS traffic manipulation, building a reasonable, controllable, and maintainable firewall rule set is particularly important. A firewall is not merely a simple tool for "allowing or blocking ports"; it also undertakes important responsibilities such as managing business access policies, filtering abnormal behavior, and isolating risks. Especially given the widespread use of Hong Kong cloud servers and the significant differences in environments among different cloud providers, a lack of security policies often leads to servers being scanned, compromised, or implanted with malicious scripts shortly after going live.
Before building a firewall policy, it is essential to first clarify the underlying logic of security protection. Firewall rules are divided into two directions: inbound traffic and outbound traffic. Most users only focus on inbound rules, but outbound rules are equally important. If a server is compromised, malicious programs often establish C&C channels or launch external attacks. Therefore, reasonably restricting outbound traffic can effectively reduce the risk of exploitation and spread. Secondly, firewall policies should adhere to the "principle of least privilege," meaning a default of denying all access and only opening ports necessary for business operations. This should be combined with log auditing to trace the source of attacks.
Hong Kong cloud servers are commonly used to host web services, so ports 80 and 443 are essential for most business operations. However, if other management ports are not closed, they are easily scanned. Before deploying a firewall, list the ports required for business operations, such as web, API, database, SSH, and container services, and then assess whether each needs to be exposed to the public network. For example, MySQL (3306) should almost never be exposed to the public network, and Redis (6379) and MongoDB (27017) are high-risk ports for intrusion and should be blocked directly. Reviewing ports before creating security rules is the first step in building a reliable firewall system.
The three most common firewall tools for Hong Kong cloud servers are iptables/nftables, UFW, and security groups (cloud vendor console). Different users have different preferences, but the principles are the same. Cloud vendor security groups are often used as the first layer of filtering, while the server's internal firewall serves as the second layer. Dual-layer protection reduces the risk of misconfiguration while improving security.
If you are using iptables, you can build a basic policy using the following commands. First, set the default policy:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
Next, allow necessary access, such as allowing SSH login:
iptables -A INPUT -p tcp --dport 22 -s Your management IP -j ACCEPT
Allow HTTP/HTTPS:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Allow local communication:
iptables -A INPUT -i lo -j ACCEPT
Discard malicious scans or forged data packets:
iptables -A INPUT -m state --state INVALID -j DROP
Final save rules:
service iptables save
The advantage of using iptables is its high degree of control, but the disadvantage is that it's not very user-friendly for beginners. If using Ubuntu, UFW is easier to learn, and commonly used commands are as follows:
ufw default deny incoming
ufw default allow outgoing
ufw allow 80
ufw allow 443
ufw allow from manage IP to any port 22
ufw enable
Basic protection can be achieved with just a few lines of commands, suitable for small to medium-sized projects.
For large projects or environments relying on APIs or microservices, it is recommended to choose the more granular nftables, which offers higher performance and clearer rule design than iptables, but its configuration is slightly more complex. If enterprise-level business requirements include access frequency restrictions, regional restrictions, blacklists, and automatic blocking mechanisms, it is recommended to combine it with fail2ban or Cloudflare WAF to achieve a more comprehensive protection system.
Besides allowing necessary ports, when building a firewall for Hong Kong cloud servers, special attention should be paid to preventing brute-force attacks on SSH. Almost all Hong Kong servers are scanned for port 22 within minutes of going live, accompanied by frequent brute-force attempts. If the SSH source is not restricted or the port is not changed, it is extremely vulnerable to brute-force attacks. Countermeasures include: restricting the source IP, changing the default SSH port, disabling password login, using key authentication, and enabling fail2ban to trigger blocking.
Example of changing the SSH port:
nano /etc/ssh/sshd_config
Port 22222
PasswordAuthentication no
Restart after modification:
systemctl restart sshdDatabase port control is another crucial point. Almost all databases should not be exposed to the public internet, especially databases like Redis, MongoDB, and Elasticsearch, which often have no password or weak passwords by default and are easily compromised. If public access is unavoidable, an IP whitelist or access credentials should be implemented. Restricting database ports through a firewall is the simplest and most effective method, for example:
ufw deny 3306
ufw deny 6379
Alternatively, use security groups to restrict access to specific IPs:
Rule: Only allow company fixed IPs to access 3306.
Settings in the cloud console:
Inbound rule: TCP 3306 → Allow source: Company IP
In addition, firewall rules also need to consider abnormal traffic, DDoS protection, and port frequency restrictions. Although Hong Kong cloud servers often provide basic DDoS protection, application-layer attacks can still cause excessive service pressure. Connection rate limits can be set in conjunction with firewall settings, for example:
iptables -A INPUT -p tcp --dport 80 -m limit --limit 30/s --limit-burst 100 -j ACCEPT
This rule can block abnormally high-frequency connections, helping to mitigate some malicious traffic.
As applications become containerized, Docker and Kubernetes environments change the internal network structure of servers, leading to more complex port mapping and forwarding links. Firewall rules must match the container bridge. For example, Docker creates the docker0 bridge by default; to control container traffic, restrictions should be added to both the INPUT and FORWARD chains. Users unfamiliar with container networking often encounter port inaccessibility due to rule conflicts. Therefore, it is recommended to centrally manage exposed ports through a separate front-end proxy (such as Nginx or Traefik) and then use a firewall to restrict source IPs.
Firewall rules should not be built "once and for all," but should be audited regularly. Auditing methods include: checking which ports are listening, which rules have not been used for a long time, whether there are overly lenient rules, and whether there are duplicate rules or order conflicts. For example, to check port listening status, you can use:
ss -tulnpIf certain services are found to be no longer in use, the corresponding ports should be closed or the services uninstalled promptly.
Audit rules also include viewing firewall logs. Common UFW log paths are:
/var/log/ufw.logiptables can log denial behaviors via syslog or custom logging rules. Logs help you identify the source IP of an attack, abnormal request frequency, and malicious scanning patterns, allowing you to formulate appropriate blocking policies.
Another key aspect of building a Hong Kong cloud server firewall is geographical location restriction. Most cross-border businesses don't require access from all regions globally; for example, if targeting only Southeast Asian users, access sources can be filtered using GeoIP or WAF. Simple filtering can also be achieved using iptables' IP range restriction function, such as blocking IP ranges from certain high-risk regions. However, such rules are not suitable for beginners as they may lead to false blocking and should be used with caution.
As applications grow in scale, traditional firewalls may struggle to meet complex needs. In such cases, dedicated firewall systems like CSF or cloud vendor WAF services can be used in conjunction. These tools offer more user-friendly interfaces and more security policies, such as SYN Flood filtering, port scan detection, and email service protection.
