{"id":3490,"date":"2025-12-27T17:10:13","date_gmt":"2025-12-27T14:10:13","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/vps-sunucularda-guvenlik-duvari-yapilandirma-ufw-firewalld-ve-iptables\/"},"modified":"2025-12-27T17:10:13","modified_gmt":"2025-12-27T14:10:13","slug":"vps-sunucularda-guvenlik-duvari-yapilandirma-ufw-firewalld-ve-iptables","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/vps-sunucularda-guvenlik-duvari-yapilandirma-ufw-firewalld-ve-iptables\/","title":{"rendered":"VPS Sunucularda G\u00fcvenlik Duvar\u0131 Yap\u0131land\u0131rma: ufw, firewalld ve iptables"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#VPS_sunucularda_guvenlik_duvari_neden_kritik\"><span class=\"toc_number toc_depth_1\">1<\/span> VPS sunucularda g\u00fcvenlik duvar\u0131 neden kritik?<\/a><\/li><li><a href=\"#Temel_guvenlik_duvari_kavramlari_araclardan_bagimsiz\"><span class=\"toc_number toc_depth_1\">2<\/span> Temel g\u00fcvenlik duvar\u0131 kavramlar\u0131 (ara\u00e7lardan ba\u011f\u0131ms\u0131z)<\/a><\/li><li><a href=\"#ufw_firewalld_ve_iptablesa_genel_bakis\"><span class=\"toc_number toc_depth_1\">3<\/span> ufw, firewalld ve iptables\u2019a genel bak\u0131\u015f<\/a><ul><li><a href=\"#ufw_nedir_hangi_senaryolarda_one_cikar\"><span class=\"toc_number toc_depth_2\">3.1<\/span> ufw nedir, hangi senaryolarda \u00f6ne \u00e7\u0131kar?<\/a><\/li><li><a href=\"#firewalld_nedir_hangi_dagitimlarda_karsimiza_cikar\"><span class=\"toc_number toc_depth_2\">3.2<\/span> firewalld nedir, hangi da\u011f\u0131t\u0131mlarda kar\u015f\u0131m\u0131za \u00e7\u0131kar?<\/a><\/li><li><a href=\"#iptables_nedir_ne_zaman_dogrudan_kullanilir\"><span class=\"toc_number toc_depth_2\">3.3<\/span> iptables nedir, ne zaman do\u011frudan kullan\u0131l\u0131r?<\/a><\/li><\/ul><\/li><li><a href=\"#Hangi_dagitimda_hangi_araci_kullanmali\"><span class=\"toc_number toc_depth_1\">4<\/span> Hangi da\u011f\u0131t\u0131mda hangi arac\u0131 kullanmal\u0131?<\/a><\/li><li><a href=\"#Iyi_bir_VPS_guvenlik_duvari_tasarimi_nasil_olmali\"><span class=\"toc_number toc_depth_1\">5<\/span> \u0130yi bir VPS g\u00fcvenlik duvar\u0131 tasar\u0131m\u0131 nas\u0131l olmal\u0131?<\/a><\/li><li><a href=\"#ufw_ile_adim_adim_VPS_guvenlik_duvari_yapilandirma\"><span class=\"toc_number toc_depth_1\">6<\/span> ufw ile ad\u0131m ad\u0131m VPS g\u00fcvenlik duvar\u0131 yap\u0131land\u0131rma<\/a><ul><li><a href=\"#Kurulum_ve_temel_ayarlar\"><span class=\"toc_number toc_depth_2\">6.1<\/span> Kurulum ve temel ayarlar<\/a><\/li><li><a href=\"#SSH_HTTP_ve_HTTPSi_acma\"><span class=\"toc_number toc_depth_2\">6.2<\/span> SSH, HTTP ve HTTPS\u2019i a\u00e7ma<\/a><\/li><li><a href=\"#SSH_icin_rate_limit_ve_IP_kisitlama\"><span class=\"toc_number toc_depth_2\">6.3<\/span> SSH i\u00e7in rate limit ve IP k\u0131s\u0131tlama<\/a><\/li><li><a href=\"#Belirli_servislere_izin_verme\"><span class=\"toc_number toc_depth_2\">6.4<\/span> Belirli servislere izin verme<\/a><\/li><li><a href=\"#Etkinlestirme_ve_durum_kontrolu\"><span class=\"toc_number toc_depth_2\">6.5<\/span> Etkinle\u015ftirme ve durum kontrol\u00fc<\/a><\/li><li><a href=\"#IPv6_ornegi\"><span class=\"toc_number toc_depth_2\">6.6<\/span> IPv6 \u00f6rne\u011fi<\/a><\/li><\/ul><\/li><li><a href=\"#firewalld_ile_adim_adim_VPS_guvenlik_duvari_yapilandirma\"><span class=\"toc_number toc_depth_1\">7<\/span> firewalld ile ad\u0131m ad\u0131m VPS g\u00fcvenlik duvar\u0131 yap\u0131land\u0131rma<\/a><ul><li><a href=\"#Kurulum_ve_servis_yonetimi\"><span class=\"toc_number toc_depth_2\">7.1<\/span> Kurulum ve servis y\u00f6netimi<\/a><\/li><li><a href=\"#Varsayilan_zoneu_ve_arayuzleri_kontrol_etme\"><span class=\"toc_number toc_depth_2\">7.2<\/span> Varsay\u0131lan zone\u2019u ve aray\u00fczleri kontrol etme<\/a><\/li><li><a href=\"#SSH_HTTP_ve_HTTPSe_izin_verme\"><span class=\"toc_number toc_depth_2\">7.3<\/span> SSH, HTTP ve HTTPS\u2019e izin verme<\/a><\/li><li><a href=\"#Belirli_bir_port_ve_protokol_acma\"><span class=\"toc_number toc_depth_2\">7.4<\/span> Belirli bir port ve protokol a\u00e7ma<\/a><\/li><li><a href=\"#IP_bazli_kisitlama_icin_rich_rule_ornegi\"><span class=\"toc_number toc_depth_2\">7.5<\/span> IP bazl\u0131 k\u0131s\u0131tlama i\u00e7in rich rule \u00f6rne\u011fi<\/a><\/li><li><a href=\"#IPv6_ile_kullanim\"><span class=\"toc_number toc_depth_2\">7.6<\/span> IPv6 ile kullan\u0131m<\/a><\/li><\/ul><\/li><li><a href=\"#iptables_ile_dogrudan_kural_yazma\"><span class=\"toc_number toc_depth_1\">8<\/span> iptables ile do\u011frudan kural yazma<\/a><ul><li><a href=\"#Zincirler_ve_temel_akis\"><span class=\"toc_number toc_depth_2\">8.1<\/span> Zincirler ve temel ak\u0131\u015f<\/a><\/li><li><a href=\"#Ornek_temel_iptables_scripti\"><span class=\"toc_number toc_depth_2\">8.2<\/span> \u00d6rnek temel iptables script\u2019i<\/a><\/li><li><a href=\"#Kurallari_kalici_yapmak\"><span class=\"toc_number toc_depth_2\">8.3<\/span> Kurallar\u0131 kal\u0131c\u0131 yapmak<\/a><\/li><\/ul><\/li><li><a href=\"#Karsilastirma_ufw_firewalld_ve_iptables_artilarieksileri\"><span class=\"toc_number toc_depth_1\">9<\/span> Kar\u015f\u0131la\u015ft\u0131rma: ufw, firewalld ve iptables art\u0131lar\u0131\u2013eksileri<\/a><ul><li><a href=\"#Kullanim_kolayligi\"><span class=\"toc_number toc_depth_2\">9.1<\/span> Kullan\u0131m kolayl\u0131\u011f\u0131<\/a><\/li><li><a href=\"#Dagitim_entegrasyonu_ve_ekosistem\"><span class=\"toc_number toc_depth_2\">9.2<\/span> Da\u011f\u0131t\u0131m entegrasyonu ve ekosistem<\/a><\/li><li><a href=\"#Dinamiklik_ve_otomasyon\"><span class=\"toc_number toc_depth_2\">9.3<\/span> Dinamiklik ve otomasyon<\/a><\/li><li><a href=\"#Ne_zaman_hangisini_secmeli\"><span class=\"toc_number toc_depth_2\">9.4<\/span> Ne zaman hangisini se\u00e7meli?<\/a><\/li><\/ul><\/li><li><a href=\"#Yaygin_hatalar_ve_kacinmaniz_gereken_senaryolar\"><span class=\"toc_number toc_depth_1\">10<\/span> Yayg\u0131n hatalar ve ka\u00e7\u0131nman\u0131z gereken senaryolar<\/a><ul><li><a href=\"#Test_icin_guvenlik_duvarini_kapattim_oyle_kaldi_sendromu\"><span class=\"toc_number toc_depth_2\">10.1<\/span> \u201cTest i\u00e7in g\u00fcvenlik duvar\u0131n\u0131 kapatt\u0131m, \u00f6yle kald\u0131\u201d sendromu<\/a><\/li><li><a href=\"#Veritabani_portlarini_dunyaya_acmak\"><span class=\"toc_number toc_depth_2\">10.2<\/span> Veritaban\u0131 portlar\u0131n\u0131 d\u00fcnyaya a\u00e7mak<\/a><\/li><li><a href=\"#IPv6yi_tamamen_unutmak\"><span class=\"toc_number toc_depth_2\">10.3<\/span> IPv6\u2019y\u0131 tamamen unutmak<\/a><\/li><li><a href=\"#Guvenlik_duvarini_tek_katmanli_dusunmek\"><span class=\"toc_number toc_depth_2\">10.4<\/span> G\u00fcvenlik duvar\u0131n\u0131 tek katmanl\u0131 d\u00fc\u015f\u00fcnmek<\/a><\/li><\/ul><\/li><li><a href=\"#DCHost_altyapisinda_pratik_oneriler\"><span class=\"toc_number toc_depth_1\">11<\/span> DCHost altyap\u0131s\u0131nda pratik \u00f6neriler<\/a><\/li><li><a href=\"#Ozet_ve_sonraki_adimlar\"><span class=\"toc_number toc_depth_1\">12<\/span> \u00d6zet ve sonraki ad\u0131mlar<\/a><\/li><\/ul><\/div>\n<h2><span id=\"VPS_sunucularda_guvenlik_duvari_neden_kritik\">VPS sunucularda g\u00fcvenlik duvar\u0131 neden kritik?<\/span><\/h2>\n<p>VPS sunucunuzu ilk kez internete a\u00e7t\u0131\u011f\u0131n\u0131z anda, hen\u00fcz sitenizi duyurmadan bile port taramalar\u0131 ve otomatik bot denemeleri ba\u015flar. \u00d6zellikle SSH, HTTP\/HTTPS, SMTP gibi portlar t\u00fcm d\u00fcnyaya a\u00e7\u0131k oldu\u011fu i\u00e7in, temel bir g\u00fcvenlik duvar\u0131 kural seti olmadan yola \u00e7\u0131kmak; ofisinizin kap\u0131s\u0131n\u0131 kilitlemeden gece \u0131\u015f\u0131klar\u0131 a\u00e7\u0131k b\u0131rakmaya benzer. DCHost taraf\u0131nda yapt\u0131\u011f\u0131m\u0131z mimari tasar\u0131m ve g\u00fcvenlik denetimi \u00e7al\u0131\u015fmalar\u0131nda, sorunlu <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a> vakalar\u0131n\u0131n \u00f6nemli bir k\u0131sm\u0131nda ya g\u00fcvenlik duvar\u0131n\u0131n tamamen kapal\u0131 oldu\u011funu ya da yaln\u0131zca \u201cSSH a\u00e7\u0131k, gerisi default\u201d gibi d\u00fc\u015f\u00fcn\u00fclmeden b\u0131rak\u0131lm\u0131\u015f kurallar\u0131 g\u00f6r\u00fcyoruz.<\/p>\n<p>Bu yaz\u0131da, VPS \u00fczerinde en s\u0131k kullan\u0131lan \u00fc\u00e7 yakla\u015f\u0131m\u0131; <strong>ufw<\/strong>, <strong>firewalld<\/strong> ve <strong>iptables<\/strong> ara\u00e7lar\u0131n\u0131 yan yana koyup kar\u015f\u0131la\u015ft\u0131rmal\u0131 \u015fekilde ele alaca\u011f\u0131z. Amac\u0131m\u0131z; \u201cHangi arac\u0131 se\u00e7meliyim?\u201d, \u201cVarsay\u0131lan kural seti nas\u0131l olmal\u0131?\u201d, \u201cIPv6\u2019y\u0131 unutmazsam iyi olur mu?\u201d gibi sorular\u0131n\u0131za net cevap vermek ve elinizde do\u011frudan kullanabilece\u011finiz \u00f6rnek komutlar b\u0131rakmak. DCHost\u2019ta bar\u0131nd\u0131rd\u0131\u011f\u0131n\u0131z VPS, dedicated veya colocation sunucular\u0131n\u0131zda uygulayabilece\u011finiz pratik, sahada denenmi\u015f bir rehber haz\u0131rlayaca\u011f\u0131z.<\/p>\n<h2><span id=\"Temel_guvenlik_duvari_kavramlari_araclardan_bagimsiz\">Temel g\u00fcvenlik duvar\u0131 kavramlar\u0131 (ara\u00e7lardan ba\u011f\u0131ms\u0131z)<\/span><\/h2>\n<p>\u00d6nce ara\u00e7lardan ba\u011f\u0131ms\u0131z birka\u00e7 temel kavram\u0131 netle\u015ftirelim; b\u00f6ylece ufw, firewalld ve iptables komutlar\u0131 size daha anlaml\u0131 gelecektir.<\/p>\n<ul>\n<li><strong>Stateful firewall<\/strong>: Paketlerin ba\u011flant\u0131 durumunu (NEW, ESTABLISHED, RELATED vb.) takip eder. Gelen trafi\u011fi k\u00f6r\u00fc k\u00f6r\u00fcne de\u011fil, var olan bir oturumun par\u00e7as\u0131 m\u0131 diye bakarak de\u011ferlendirir.<\/li>\n<li><strong>INPUT \/ OUTPUT \/ FORWARD<\/strong>: Sunucunuza gelen (INPUT), sunucudan \u00e7\u0131kan (OUTPUT) ve sunucu \u00fczerinden y\u00f6nlendirilen (FORWARD) trafi\u011fi ifade eder. \u00c7o\u011fu VPS senaryosunda esas odak INPUT zinciridir.<\/li>\n<li><strong>Varsay\u0131lan politika (policy)<\/strong>: Hi\u00e7bir kurala uymayan pakete ne olaca\u011f\u0131d\u0131r. G\u00fcvenli yakla\u015f\u0131m; <strong>INPUT i\u00e7in DROP<\/strong>, OUTPUT i\u00e7in genellikle <strong>ACCEPT<\/strong> (ihtiyaca g\u00f6re s\u0131k\u0131la\u015ft\u0131r\u0131labilir) \u015feklindedir.<\/li>\n<li><strong>IPv4 ve IPv6<\/strong>: Bir\u00e7ok y\u00f6netici IPv4 kurallar\u0131n\u0131 \u00f6zenle yazar, IPv6 tamamen bo\u015f kal\u0131r. Sunucunuzda IPv6 aktifse (\u00e7o\u011fu modern VPS\u2019te \u00f6yledir), g\u00fcvenlik duvar\u0131 kurallar\u0131n\u0131 <strong>her iki protokol i\u00e7in de<\/strong> d\u00fc\u015f\u00fcnmeniz gerekir.<\/li>\n<li><strong>Port ve servis<\/strong>: G\u00fcvenlik duvar\u0131 port seviyesinde \u00e7al\u0131\u015f\u0131r (80\/tcp, 443\/tcp gibi). Baz\u0131 ara\u00e7lar (firewalld) portlar\u0131 anlaml\u0131 servis etiketleriyle (http, https, ssh) gruplar.<\/li>\n<\/ul>\n<p>G\u00fcvenlik duvar\u0131n\u0131n temel mant\u0131\u011f\u0131; \u201c<strong>gerekeni <u>\u00f6zellikle<\/u> a\u00e7, gerisini kapat<\/strong>\u201dt\u0131r. Bu bak\u0131\u015f a\u00e7\u0131s\u0131n\u0131 korudu\u011funuz s\u00fcrece, hangi arac\u0131 se\u00e7ti\u011finiz ikinci s\u0131rada kal\u0131r.<\/p>\n<h2><span id=\"ufw_firewalld_ve_iptablesa_genel_bakis\">ufw, firewalld ve iptables\u2019a genel bak\u0131\u015f<\/span><\/h2>\n<h3><span id=\"ufw_nedir_hangi_senaryolarda_one_cikar\">ufw nedir, hangi senaryolarda \u00f6ne \u00e7\u0131kar?<\/span><\/h3>\n<p><strong>ufw (Uncomplicated Firewall)<\/strong>, \u00f6zellikle Ubuntu ve t\u00fcrevlerinde varsay\u0131lan olarak gelen, iptables\/nftables i\u00e7in bir <em>kolay y\u00f6netim katman\u0131<\/em>d\u0131r. Ama\u00e7; karma\u015f\u0131k iptables s\u00f6zdizimiyle u\u011fra\u015fmadan \u201cssh izin ver, http izin ver, geri kalan\u0131n\u0131 kapat\u201d gibi temel senaryolar\u0131 h\u0131zl\u0131ca kurabilmektir.<\/p>\n<ul>\n<li>Basit komut seti: <code>ufw allow 22\/tcp<\/code>, <code>ufw deny 25\/tcp<\/code> gibi okunabilir komutlar.<\/li>\n<li>Uygulama profilleri: Nginx, OpenSSH gibi servisler i\u00e7in haz\u0131r tan\u0131mlar kullan\u0131labilir.<\/li>\n<li>K\u00fc\u00e7\u00fck ve orta \u00f6l\u00e7ekli VPS\u2019lerde, \u00f6zellikle tek y\u00f6neticili ortamlarda idealdir.<\/li>\n<\/ul>\n<h3><span id=\"firewalld_nedir_hangi_dagitimlarda_karsimiza_cikar\">firewalld nedir, hangi da\u011f\u0131t\u0131mlarda kar\u015f\u0131m\u0131za \u00e7\u0131kar?<\/span><\/h3>\n<p><strong>firewalld<\/strong>, \u00e7o\u011funlukla RHEL tabanl\u0131 (AlmaLinux, Rocky Linux vb.) da\u011f\u0131t\u0131mlarda gelen, daemon tabanl\u0131 bir g\u00fcvenlik duvar\u0131 y\u00f6neticisidir. Arkada iptables veya nftables kullan\u0131r ama siz <em>zone (b\u00f6lge)<\/em> ve <em>service (hizmet)<\/em> kavramlar\u0131yla \u00e7al\u0131\u015f\u0131rs\u0131n\u0131z.<\/p>\n<ul>\n<li><strong>Zone mant\u0131\u011f\u0131<\/strong>: <code>public<\/code>, <code>internal<\/code>, <code>trusted<\/code> gibi b\u00f6lgelere aray\u00fcz atar, her b\u00f6lge i\u00e7in farkl\u0131 kural seti yazars\u0131n\u0131z.<\/li>\n<li><strong>Servis tan\u0131mlar\u0131<\/strong>: <code>http<\/code>, <code>https<\/code>, <code>ssh<\/code> gibi \u00f6n tan\u0131ml\u0131 servisleri tek komutla a\u00e7\u0131p kapatabilirsiniz.<\/li>\n<li>Dinamik yap\u0131: Kural de\u011fi\u015fiklikleri \u00e7o\u011fu zaman ba\u011flant\u0131y\u0131 kesmeden, yeniden ba\u015flatmaya gerek kalmadan uygulan\u0131r.<\/li>\n<\/ul>\n<h3><span id=\"iptables_nedir_ne_zaman_dogrudan_kullanilir\">iptables nedir, ne zaman do\u011frudan kullan\u0131l\u0131r?<\/span><\/h3>\n<p><strong>iptables<\/strong>, Linux \u00e7ekirde\u011findeki netfilter altyap\u0131s\u0131na do\u011frudan kural yazman\u0131z\u0131 sa\u011flayan klasik ara\u00e7t\u0131r. \u00c7ok esnektir; NAT, port y\u00f6nlendirme, geli\u015fmi\u015f e\u015fle\u015ftirme (match) mod\u00fclleriyle akl\u0131n\u0131za gelen hemen her \u015feyi yapabilirsiniz. Dezavantaj\u0131; s\u00f6zdiziminin uzun ve hataya a\u00e7\u0131k olmas\u0131d\u0131r.<\/p>\n<p>Bug\u00fcn bir\u00e7ok da\u011f\u0131t\u0131m arka planda <strong>nftables<\/strong>\u2019a ge\u00e7i\u015f yap\u0131yor olsa da, iptables h\u00e2l\u00e2 \u00e7ok yayg\u0131n kullan\u0131l\u0131yor. nftables taraf\u0131n\u0131 derinlemesine ele ald\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/nftables-ile-vps-guvenlik-duvari-rehberi-rate-limit-port-knocking-ve-ipv6-kurallari-nasil-tatli-tatli-kurulur\/\">nftables ile VPS g\u00fcvenlik duvar\u0131 rehberimiz<\/a> bu yaz\u0131n\u0131n do\u011fal devam\u0131 niteli\u011finde.<\/p>\n<h2><span id=\"Hangi_dagitimda_hangi_araci_kullanmali\">Hangi da\u011f\u0131t\u0131mda hangi arac\u0131 kullanmal\u0131?<\/span><\/h2>\n<p>Genel saha deneyimimize g\u00f6re tipik da\u011f\u0131t\u0131m\u2013ara\u00e7 e\u015fle\u015fmeleri \u015f\u00f6yle:<\/p>\n<ul>\n<li><strong>Ubuntu \/ Debian:<\/strong> ufw varsay\u0131lan olarak gelir, arka planda iptables veya nftables kullan\u0131r. Basit senaryolar i\u00e7in ufw, geli\u015fmi\u015f kurulumlar i\u00e7in do\u011frudan iptables\/nftables tercih edilir.<\/li>\n<li><strong>AlmaLinux \/ Rocky Linux \/ RHEL:<\/strong> firewalld varsay\u0131lan gelir. Panel (cPanel, Plesk vb.) kullan\u0131lan ortamlarda da \u00e7o\u011funlukla firewalld\/iptables tabanl\u0131 kurulum g\u00f6r\u00fcr\u00fcz.<\/li>\n<li><strong>Minimal\/\u00f6zel imajlar:<\/strong> Hi\u00e7biri kurulu olmayabilir; do\u011frudan iptables veya nftables \u00fczerine kendi tercih etti\u011finiz y\u00f6neticiyi kurars\u0131n\u0131z.<\/li>\n<\/ul>\n<p>DCHost VPS veya <a href=\"https:\/\/www.dchost.com\/tr\/fiziksel-sunucu\">dedicated sunucu<\/a>lar\u0131n\u0131zda, da\u011f\u0131t\u0131m se\u00e7iminize g\u00f6re haz\u0131rlad\u0131\u011f\u0131m\u0131z haz\u0131r imajlarda genellikle ilgili ekosistemin do\u011fal arac\u0131yla ilerliyoruz. \u00d6zet tavsiye:<\/p>\n<ul>\n<li><strong>Ubuntu\/Debian<\/strong>: ufw ile ba\u015flay\u0131n, ihtiya\u00e7 duyarsan\u0131z iptables\/nftables\u2019a inin.<\/li>\n<li><strong>AlmaLinux\/Rocky<\/strong>: firewalld ile ba\u015flay\u0131n, \u00e7ok \u00f6zel ihtiya\u00e7larda alt seviyeye inin.<\/li>\n<\/ul>\n<h2><span id=\"Iyi_bir_VPS_guvenlik_duvari_tasarimi_nasil_olmali\">\u0130yi bir VPS g\u00fcvenlik duvar\u0131 tasar\u0131m\u0131 nas\u0131l olmal\u0131?<\/span><\/h2>\n<p>Ufak komut \u00f6rneklerine ge\u00e7meden \u00f6nce, kurallar\u0131 tasarlarken izlemeniz gereken prensipleri netle\u015ftirelim. DCHost blogunda anlatt\u0131\u011f\u0131m\u0131z <a href=\"https:\/\/www.dchost.com\/blog\/vps-sunucu-guvenligi-nasil-saglanir-kapiyi-acik-birakmadan-yasamanin-sirri\/\">VPS sunucu g\u00fcvenli\u011fi rehberimizle<\/a> de uyumlu, pratik bir kontrol listesi \u015fu \u015fekilde:<\/p>\n<ul>\n<li><strong>Varsay\u0131lan inbound politikas\u0131: DROP<\/strong> \u2013 Sadece a\u00e7\u0131k\u00e7a izin verdiklerinize ge\u00e7it verin.<\/li>\n<li><strong>SSH\u2019yi daralt\u0131n<\/strong> \u2013 M\u00fcmk\u00fcnse IP bazl\u0131 k\u0131s\u0131tlama, de\u011filse en az\u0131ndan <em>rate limit<\/em> uygulay\u0131n.<\/li>\n<li><strong>HTTP\/HTTPS portlar\u0131n\u0131 a\u00e7\u0131n<\/strong> \u2013 Web sunucusu \u00e7al\u0131\u015ft\u0131r\u0131yorsan\u0131z 80 ve 443 a\u00e7\u0131k olacak, di\u011fer web portlar\u0131 (8080 vb.) yaln\u0131zca gerekiyorsa a\u00e7\u0131lacak.<\/li>\n<li><strong>Veritaban\u0131n\u0131 internete a\u00e7may\u0131n<\/strong> \u2013 MySQL\/PostgreSQL gibi servisleri yaln\u0131zca i\u00e7 a\u011fdan veya VPN\u2019den eri\u015filebilir k\u0131l\u0131n.<\/li>\n<li><strong>IPv6\u2019y\u0131 unutmay\u0131n<\/strong> \u2013 Ayn\u0131 kural setinin IPv6 kar\u015f\u0131l\u0131\u011f\u0131n\u0131 da olu\u015fturun.<\/li>\n<li><strong>Log seviyesini makul tutun<\/strong> \u2013 Her paketi loglamak yerine, yaln\u0131zca reddedilen kritik trafi\u011fi kay\u0131t alt\u0131na al\u0131n.<\/li>\n<li><strong>\u00c7ak\u0131\u015fan ara\u00e7 kullanmay\u0131n<\/strong> \u2013 Ayn\u0131 anda hem ufw hem firewalld hem de el ile iptables kural\u0131 yazmay\u0131n; sorumlulu\u011fu tek araca verin.<\/li>\n<\/ul>\n<p>Yeni kurulan VPS\u2019ler i\u00e7in \u00f6nerdi\u011fimiz ilk ad\u0131mlar\u0131 ayr\u0131nt\u0131l\u0131 olarak <a href=\"https:\/\/www.dchost.com\/blog\/yeni-vpste-ilk-24-saat-guncelleme-guvenlik-duvari-ve-kullanici-hesaplari\/\">\u201cYeni VPS\u2019te \u0130lk 24 Saat\u201d rehberimizde<\/a> anlatt\u0131k; burada ise g\u00fcvenlik duvar\u0131 k\u0131sm\u0131n\u0131 derinle\u015ftiriyoruz.<\/p>\n<h2><span id=\"ufw_ile_adim_adim_VPS_guvenlik_duvari_yapilandirma\">ufw ile ad\u0131m ad\u0131m VPS g\u00fcvenlik duvar\u0131 yap\u0131land\u0131rma<\/span><\/h2>\n<h3><span id=\"Kurulum_ve_temel_ayarlar\">Kurulum ve temel ayarlar<\/span><\/h3>\n<p>Bir\u00e7ok Ubuntu sunucusunda ufw zaten kurulu gelir. De\u011filse:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">apt update\napt install ufw -y\n<\/code><\/pre>\n<p>\u00d6nce IPv6\u2019n\u0131n aktif oldu\u011fundan emin olun. <code>\/etc\/ufw\/ufw.conf<\/code> dosyas\u0131nda:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">IPv6=yes\n<\/code><\/pre>\n<p>ard\u0131ndan varsay\u0131lan politikalar\u0131 belirleyelim:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ufw default deny incoming\nufw default allow outgoing\n<\/code><\/pre>\n<h3><span id=\"SSH_HTTP_ve_HTTPSi_acma\">SSH, HTTP ve HTTPS\u2019i a\u00e7ma<\/span><\/h3>\n<p>Uzak y\u00f6netimi kaybetmemek i\u00e7in SSH\u2019ya izin vermeden ufw\u2019yi <strong>asla etkinle\u015ftirmeyin<\/strong>:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ufw allow 22\/tcp        # Varsay\u0131lan SSH portu\nufw allow 80\/tcp        # HTTP\nufw allow 443\/tcp       # HTTPS\n<\/code><\/pre>\n<p>E\u011fer SSH farkl\u0131 bir porttaysa, \u00f6rne\u011fin 2222 ise:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ufw allow 2222\/tcp\n<\/code><\/pre>\n<h3><span id=\"SSH_icin_rate_limit_ve_IP_kisitlama\">SSH i\u00e7in rate limit ve IP k\u0131s\u0131tlama<\/span><\/h3>\n<p>Brute-force denemelerini azaltmak i\u00e7in ufw\u2019nin <code>limit<\/code> \u00f6zelli\u011fini kullanabilirsiniz:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ufw limit 22\/tcp\n<\/code><\/pre>\n<p>Belirli bir IP aral\u0131\u011f\u0131ndan eri\u015fim gerekiyorsa:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ufw allow from 203.0.113.10 to any port 22 proto tcp\n<\/code><\/pre>\n<h3><span id=\"Belirli_servislere_izin_verme\">Belirli servislere izin verme<\/span><\/h3>\n<p>ufw, baz\u0131 servisleri isimle tan\u0131r. Mevcut profilleri g\u00f6rmek i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ufw app list\n<\/code><\/pre>\n<p>\u00d6rne\u011fin Nginx Full profili (80 ve 443):<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ufw allow &quot;Nginx Full&quot;\n<\/code><\/pre>\n<h3><span id=\"Etkinlestirme_ve_durum_kontrolu\">Etkinle\u015ftirme ve durum kontrol\u00fc<\/span><\/h3>\n<p>Kurallardan emin olduktan sonra ufw\u2019yi etkinle\u015ftirin:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ufw enable\n<\/code><\/pre>\n<p>Durumu g\u00f6rmek i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ufw status verbose\n<\/code><\/pre>\n<h3><span id=\"IPv6_ornegi\">IPv6 \u00f6rne\u011fi<\/span><\/h3>\n<p>IPv6 adresiniz \u00fczerinden gelen HTTP\/HTTPS trafi\u011fine izin vermek i\u00e7in ekstra bir \u015fey yapman\u0131za gerek yoktur; ufw IPv6 i\u00e7in de ayn\u0131 kural\u0131 uygular. Ancak yaln\u0131zca belirli bir IPv6 blo\u011funu yetkilendirmek isterseniz:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ufw allow from 2001:db8::\/64 to any port 22 proto tcp\n<\/code><\/pre>\n<h2><span id=\"firewalld_ile_adim_adim_VPS_guvenlik_duvari_yapilandirma\">firewalld ile ad\u0131m ad\u0131m VPS g\u00fcvenlik duvar\u0131 yap\u0131land\u0131rma<\/span><\/h2>\n<h3><span id=\"Kurulum_ve_servis_yonetimi\">Kurulum ve servis y\u00f6netimi<\/span><\/h3>\n<p>RHEL\/AlmaLinux\/Rocky tabanl\u0131 bir VPS\u2019te genellikle firewalld kurulu ve aktiftir. Emin olmak i\u00e7in:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">yum install firewalld -y   # veya dnf\nsystemctl enable --now firewalld\n<\/code><\/pre>\n<p>Temel kavramlar:<\/p>\n<ul>\n<li><strong>Zone<\/strong>: G\u00fcvenlik seviyesi tan\u0131mlar\u0131 (public, internal, trusted vb.).<\/li>\n<li><strong>Service<\/strong>: Birden \u00e7ok portu kapsayan isimlendirilmi\u015f servisler (http, https, ssh\u2026).<\/li>\n<li><strong>Runtime vs permanent<\/strong>: Kal\u0131c\u0131 olmas\u0131 i\u00e7in mutlaka <code>--permanent<\/code> kullan\u0131p ard\u0131ndan <code>reload<\/code> etmelisiniz.<\/li>\n<\/ul>\n<h3><span id=\"Varsayilan_zoneu_ve_arayuzleri_kontrol_etme\">Varsay\u0131lan zone\u2019u ve aray\u00fczleri kontrol etme<\/span><\/h3>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">firewall-cmd --get-default-zone\nfirewall-cmd --get-active-zones\n<\/code><\/pre>\n<p>Genellikle VPS\u2019lerde t\u00fcm trafik <code>public<\/code> zone \u00fczerinden gelir. Gerekirse:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">firewall-cmd --set-default-zone=public\n<\/code><\/pre>\n<h3><span id=\"SSH_HTTP_ve_HTTPSe_izin_verme\">SSH, HTTP ve HTTPS\u2019e izin verme<\/span><\/h3>\n<p>firewalld\u2019de servis ismiyle kural eklemek olduk\u00e7a rahatt\u0131r:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\"># Ge\u00e7ici (runtime) kurallar\n't firewall-cmd --zone=public --add-service=ssh\nfirewall-cmd --zone=public --add-service=http\nfirewall-cmd --zone=public --add-service=https\n\n# Kal\u0131c\u0131 yapmak i\u00e7in\nfirewall-cmd --zone=public --add-service=ssh --permanent\nfirewall-cmd --zone=public --add-service=http --permanent\nfirewall-cmd --zone=public --add-service=https --permanent\n\n# De\u011fi\u015fiklikleri y\u00fckle\nfirewall-cmd --reload\n<\/code><\/pre>\n<h3><span id=\"Belirli_bir_port_ve_protokol_acma\">Belirli bir port ve protokol a\u00e7ma<\/span><\/h3>\n<p>\u00d6rne\u011fin 2222\/tcp portunda SSH dinliyorsan\u0131z:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">firewall-cmd --zone=public --add-port=2222\/tcp --permanent\nfirewall-cmd --reload\n<\/code><\/pre>\n<h3><span id=\"IP_bazli_kisitlama_icin_rich_rule_ornegi\">IP bazl\u0131 k\u0131s\u0131tlama i\u00e7in rich rule \u00f6rne\u011fi<\/span><\/h3>\n<p>Belirli bir IP\u2019den SSH\u2019a izin vermek i\u00e7in <em>rich rule<\/em> kullanabilirsiniz:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">firewall-cmd --permanent \n  --zone=public \n  --add-rich-rule='rule family=&quot;ipv4&quot; \n  source address=&quot;203.0.113.10&quot; \n  service name=&quot;ssh&quot; accept'\n\nfirewall-cmd --reload\n<\/code><\/pre>\n<h3><span id=\"IPv6_ile_kullanim\">IPv6 ile kullan\u0131m<\/span><\/h3>\n<p>firewalld, hem IPv4 hem IPv6 i\u00e7in ayn\u0131 kural\u0131 uygular. IPv6 \u00f6zelinde k\u0131s\u0131tlama yapacaksan\u0131z:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">firewall-cmd --permanent \n  --zone=public \n  --add-rich-rule='rule family=&quot;ipv6&quot; \n  source address=&quot;2001:db8::\/64&quot; \n  service name=&quot;ssh&quot; accept'\n\nfirewall-cmd --reload\n<\/code><\/pre>\n<h2><span id=\"iptables_ile_dogrudan_kural_yazma\">iptables ile do\u011frudan kural yazma<\/span><\/h2>\n<h3><span id=\"Zincirler_ve_temel_akis\">Zincirler ve temel ak\u0131\u015f<\/span><\/h3>\n<p>iptables\u2019ta en \u00e7ok kullan\u0131lan <strong>filter<\/strong> tablosu ve \u00fc\u00e7 ana zincir vard\u0131r:<\/p>\n<ul>\n<li><strong>INPUT<\/strong>: Sunucuya gelen trafik.<\/li>\n<li><strong>OUTPUT<\/strong>: Sunucudan \u00e7\u0131kan trafik.<\/li>\n<li><strong>FORWARD<\/strong>: Sunucu \u00fczerinden y\u00f6nlendirilen trafik.<\/li>\n<\/ul>\n<p>Basit bir VPS senaryosunda genellikle INPUT\u2019u sertle\u015ftirip OUTPUT\u2019u \u00e7o\u011funlukla a\u00e7\u0131k b\u0131rak\u0131r\u0131z.<\/p>\n<h3><span id=\"Ornek_temel_iptables_scripti\">\u00d6rnek temel iptables script\u2019i<\/span><\/h3>\n<p>A\u015fa\u011f\u0131daki \u00f6rnek, hem IPv4 hem IPv6 i\u00e7in makul bir ba\u015flang\u0131\u00e7t\u0131r. \u00d6nce IPv4:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">#!\/bin\/bash\n\n# Mevcut kurallar\u0131 temizle\niptables -F\niptables -X\n\n# Varsay\u0131lan politikalar\niptables -P INPUT DROP\niptables -P FORWARD DROP\niptables -P OUTPUT ACCEPT\n\n# Loopback'e izin ver\niptables -A INPUT -i lo -j ACCEPT\n\n# Var olan ba\u011flant\u0131lara izin ver\niptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# SSH (22\/tcp)\niptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT\n\n# HTTP(80) ve HTTPS(443)\niptables -A INPUT -p tcp --dport 80 -j ACCEPT\niptables -A INPUT -p tcp --dport 443 -j ACCEPT\n\n# \u0130ste\u011fe ba\u011fl\u0131: Reddedilen paketleri logla (dikkat, \u00e7ok g\u00fcr\u00fclt\u00fc yapabilir)\n# iptables -A INPUT -m limit --limit 5\/min -j LOG --log-prefix &quot;iptables-denied: &quot; --log-level 7\n\n# En sonda DROP politikas\u0131 zaten uygulan\u0131yor\n<\/code><\/pre>\n<p>IPv6 i\u00e7in de benzer bir script <code>ip6tables<\/code> ile yaz\u0131lmal\u0131d\u0131r:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">ip6tables -F\nip6tables -X\nip6tables -P INPUT DROP\nip6tables -P FORWARD DROP\nip6tables -P OUTPUT ACCEPT\nip6tables -A INPUT -i lo -j ACCEPT\nip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\nip6tables -A INPUT -p tcp --dport 22 -j ACCEPT\nip6tables -A INPUT -p tcp --dport 80 -j ACCEPT\nip6tables -A INPUT -p tcp --dport 443 -j ACCEPT\n<\/code><\/pre>\n<h3><span id=\"Kurallari_kalici_yapmak\">Kurallar\u0131 kal\u0131c\u0131 yapmak<\/span><\/h3>\n<p>Bir\u00e7ok da\u011f\u0131t\u0131mda reboot sonras\u0131 iptables kurallar\u0131 kaybolur. Debian\/Ubuntu taraf\u0131nda \u015fu paketi kullanabilirsiniz:<\/p>\n<pre class=\"language-bash line-numbers\"><code class=\"language-bash\">apt install iptables-persistent -y\n\n# Mevcut kurallar\u0131 kaydet\niptables-save &gt; \/etc\/iptables\/rules.v4\nip6tables-save &gt; \/etc\/iptables\/rules.v6\n<\/code><\/pre>\n<p>Farkl\u0131 sistemlerde <code>\/etc\/rc.local<\/code> veya systemd unit ile bu script\u2019i boot\u2019ta \u00e7al\u0131\u015ft\u0131rmak da yayg\u0131n bir yakla\u015f\u0131md\u0131r.<\/p>\n<h2><span id=\"Karsilastirma_ufw_firewalld_ve_iptables_artilarieksileri\">Kar\u015f\u0131la\u015ft\u0131rma: ufw, firewalld ve iptables art\u0131lar\u0131\u2013eksileri<\/span><\/h2>\n<h3><span id=\"Kullanim_kolayligi\">Kullan\u0131m kolayl\u0131\u011f\u0131<\/span><\/h3>\n<ul>\n<li><strong>ufw<\/strong>: \u00d6\u011frenmesi en kolay, \u00f6zellikle tek sunuculu Ubuntu VPS\u2019lerde \u00e7ok pratik. Basit gereksinimler i\u00e7in ideal.<\/li>\n<li><strong>firewalld<\/strong>: Zone ve service kavram\u0131 sayesinde orta \u00f6l\u00e7ekli yap\u0131larda d\u00fczenli kalmay\u0131 kolayla\u015ft\u0131r\u0131r. \u00d6\u011frenme e\u011frisi ufw\u2019den biraz daha diktir.<\/li>\n<li><strong>iptables<\/strong>: En esnek ama en karma\u015f\u0131k se\u00e7enek. Yanl\u0131\u015f bir kural tek komutla kendinizi sunucudan kilitlemenize neden olabilir.<\/li>\n<\/ul>\n<h3><span id=\"Dagitim_entegrasyonu_ve_ekosistem\">Da\u011f\u0131t\u0131m entegrasyonu ve ekosistem<\/span><\/h3>\n<ul>\n<li><strong>Ubuntu\/Debian<\/strong>: ufw ile ba\u015flamak genellikle en konforlu se\u00e7imdir.<\/li>\n<li><strong>AlmaLinux\/Rocky\/RHEL<\/strong>: firewalld ile uyumlu \u00e7al\u0131\u015facak \u015fekilde tasarlanm\u0131\u015ft\u0131r; panel yaz\u0131l\u0131mlar\u0131 da \u00e7o\u011funlukla firewalld\/iptables ile entegredir.<\/li>\n<li><strong>\u00d6zel imajlar ve container i\u00e7i<\/strong>: Daha ince ayar i\u00e7in do\u011frudan iptables veya nftables tercih edilir.<\/li>\n<\/ul>\n<h3><span id=\"Dinamiklik_ve_otomasyon\">Dinamiklik ve otomasyon<\/span><\/h3>\n<ul>\n<li><strong>ufw<\/strong>: Basit Ansible\/SSH script\u2019leriyle rahat y\u00f6netilir; ancak \u00e7ok s\u0131k kural de\u011fi\u015fen, dinamik ortamlar i\u00e7in s\u0131n\u0131rl\u0131 kalabilir.<\/li>\n<li><strong>firewalld<\/strong>: API\u2019si ve <code>firewall-cmd<\/code> ile runtime de\u011fi\u015fiklikleri destekler; servis kesintisi olmadan kural g\u00fcncellemek kolayd\u0131r.<\/li>\n<li><strong>iptables<\/strong>: Tamamen script tabanl\u0131d\u0131r; DevOps ekibi iptables\u2019a h\u00e2kimse, kompleks otomasyon senaryolar\u0131 i\u00e7in g\u00fc\u00e7l\u00fc bir ara\u00e7t\u0131r.<\/li>\n<\/ul>\n<h3><span id=\"Ne_zaman_hangisini_secmeli\">Ne zaman hangisini se\u00e7meli?<\/span><\/h3>\n<ul>\n<li><strong>K\u00fc\u00e7\u00fck\/orta \u00f6l\u00e7ekli tek VPS<\/strong>, Ubuntu\/Debian: <strong>ufw<\/strong> \u00e7o\u011fu zaman fazlas\u0131yla yeterlidir.<\/li>\n<li><strong>Kurumsal ya da panel kullan\u0131lan RHEL tabanl\u0131 sistemler<\/strong>: <strong>firewalld<\/strong> ile ilerleyin, gerekiyorsa alt seviyede iptables\/nftables ayarlar\u0131na inin.<\/li>\n<li><strong>Geli\u015fmi\u015f NAT, custom match mod\u00fclleri, \u00e7ok ince trafik \u015fekillendirme<\/strong>: Do\u011frudan <strong>iptables<\/strong> veya modern alternatif olarak <strong>nftables<\/strong>.<\/li>\n<\/ul>\n<h2><span id=\"Yaygin_hatalar_ve_kacinmaniz_gereken_senaryolar\">Yayg\u0131n hatalar ve ka\u00e7\u0131nman\u0131z gereken senaryolar<\/span><\/h2>\n<h3><span id=\"Test_icin_guvenlik_duvarini_kapattim_oyle_kaldi_sendromu\">\u201cTest i\u00e7in g\u00fcvenlik duvar\u0131n\u0131 kapatt\u0131m, \u00f6yle kald\u0131\u201d sendromu<\/span><\/h3>\n<p>Sahada en s\u0131k g\u00f6rd\u00fc\u011f\u00fcm\u00fcz hata, canl\u0131 ortamda h\u0131zla bir sorun \u00e7\u00f6zmeye \u00e7al\u0131\u015f\u0131rken <code>ufw disable<\/code> veya <code>systemctl stop firewalld<\/code> komutunun verilmesi ve sonras\u0131nda unutulmas\u0131. \u00c7\u00f6z\u00fcm: B\u00f6yle durumlarda mutlaka <strong>ge\u00e7ici<\/strong> istisna tan\u0131y\u0131n, ard\u0131ndan orijinal kural setine geri d\u00f6n\u00fcn; tamamen kapatmay\u0131n.<\/p>\n<h3><span id=\"Veritabani_portlarini_dunyaya_acmak\">Veritaban\u0131 portlar\u0131n\u0131 d\u00fcnyaya a\u00e7mak<\/span><\/h3>\n<p>MySQL\u2019in 3306 portunu veya PostgreSQL\u2019in 5432\u2019sini do\u011frudan internete a\u00e7mak, sald\u0131r\u0131 y\u00fczeyinizi dramatik \u015fekilde b\u00fcy\u00fct\u00fcr. Mutlaka:<\/p>\n<ul>\n<li>Bu portlar\u0131 sadece i\u00e7 a\u011f veya VPN aray\u00fcz\u00fcne a\u00e7\u0131k tutun,<\/li>\n<li>Ya da IP bazl\u0131 \u00e7ok s\u0131k\u0131 k\u0131s\u0131tlama uygulay\u0131n.<\/li>\n<\/ul>\n<h3><span id=\"IPv6yi_tamamen_unutmak\">IPv6\u2019y\u0131 tamamen unutmak<\/span><\/h3>\n<p>Bir\u00e7ok DDoS ve brute-force denemesi art\u0131k IPv6 \u00fczerinden de geliyor. Sunucunuzda IPv6 a\u00e7\u0131ksa, yaln\u0131zca IPv4 kurallar\u0131 yazmak sizi korumaz. Bu konuda daha geni\u015f \u00e7er\u00e7eveyi <a href=\"https:\/\/www.dchost.com\/blog\/vps-sunucunuzda-ipv6-kurulum-ve-yapilandirma-rehberi-2\/\">IPv6 yap\u0131land\u0131rma rehberimizde<\/a> anlatt\u0131k; g\u00fcvenlik duvar\u0131 kurallar\u0131n\u0131z\u0131 mutlaka iki protokol i\u00e7in de d\u00fc\u015f\u00fcn\u00fcn.<\/p>\n<h3><span id=\"Guvenlik_duvarini_tek_katmanli_dusunmek\">G\u00fcvenlik duvar\u0131n\u0131 tek katmanl\u0131 d\u00fc\u015f\u00fcnmek<\/span><\/h3>\n<p>OS seviyesindeki g\u00fcvenlik duvar\u0131, savunman\u0131z\u0131n yaln\u0131zca bir katman\u0131 olmal\u0131. Uygulama katman\u0131nda <a href=\"https:\/\/www.dchost.com\/blog\/cloudflare-guvenlik-ayarlari-rehberi-kucuk-isletme-siteleri-icin-waf-rate-limit-ve-bot-korumasi\/\">WAF ve rate limit<\/a> kullanmak, HTTP d\u00fczeyinde ise <a href=\"https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-hsts-csp-x-frame-options-ve-referrer-policy-dogru-nasil-kurulur\/\">HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131<\/a> ile taray\u0131c\u0131 taraf\u0131n\u0131 sertle\u015ftirmek ayn\u0131 derecede \u00f6nemli. \u00c7ok katmanl\u0131 yakla\u015f\u0131mla k\u00fc\u00e7\u00fck yanl\u0131\u015f yap\u0131land\u0131rmalar\u0131n etkisini azalt\u0131rs\u0131n\u0131z.<\/p>\n<h2><span id=\"DCHost_altyapisinda_pratik_oneriler\">DCHost altyap\u0131s\u0131nda pratik \u00f6neriler<\/span><\/h2>\n<p>DCHost\u2019ta sa\u011flad\u0131\u011f\u0131m\u0131z VPS, dedicated ve colocation hizmetlerinde, m\u00fc\u015fteri taraf\u0131nda uygulanabilir ve s\u00fcrd\u00fcr\u00fclebilir kural setleri tasarlamaya \u00f6zellikle dikkat ediyoruz. \u00d6zet pratik tavsiyemiz:<\/p>\n<ul>\n<li><strong>Ubuntu\/Debian VPS\u2019ler<\/strong>: ufw ile ba\u015flay\u0131n, haz\u0131r bir \u201cweb sunucusu + SSH\u201d profilini temel al\u0131n. SSH i\u00e7in <code>limit<\/code> \u00f6zelli\u011fini, web i\u00e7in 80\/443 kurallar\u0131n\u0131 ekleyin, kalan her \u015feyi kapat\u0131n.<\/li>\n<li><strong>AlmaLinux\/Rocky VPS\u2019ler<\/strong>: firewalld ile <code>public<\/code> zone\u2019da <code>ssh<\/code>, <code>http<\/code>, <code>https<\/code> servislerini kal\u0131c\u0131 olarak a\u00e7\u0131n. Veritaban\u0131, Redis gibi hizmetleri public zone yerine internal\/trusted zone\u2019a veya yaln\u0131zca VPN aray\u00fcz\u00fcne a\u00e7\u0131k tutun.<\/li>\n<li><strong>Geli\u015fmi\u015f senaryolar<\/strong>: Rate limit, port knocking, daha sofistike IPv6 kurallar\u0131 gibi ihtiya\u00e7lar i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/nftables-ile-vps-guvenlik-duvari-rehberi-rate-limit-port-knocking-ve-ipv6-kurallari-nasil-tatli-tatli-kurulur\/\">nftables rehberimiz<\/a> ve a\u011f g\u00fcvenli\u011fi odakl\u0131 di\u011fer yaz\u0131lar\u0131m\u0131z\u0131 referans al\u0131n.<\/li>\n<\/ul>\n<p>Daha \u00fcst d\u00fczey, b\u00fct\u00fcnsel bir yakla\u015f\u0131m g\u00f6rmek isterseniz, <a href=\"https:\/\/www.dchost.com\/blog\/vps-sunucu-guvenligi-pratik-olceklenebilir-ve-dogrulanabilir-yaklasimlar\/\">VPS sunucu g\u00fcvenli\u011fi i\u00e7in pratik ve do\u011frulanabilir yakla\u015f\u0131mlar<\/a> yaz\u0131m\u0131z\u0131 da mutlaka okuyun. Orada yaln\u0131zca g\u00fcvenlik duvar\u0131n\u0131 de\u011fil, patch y\u00f6netimi, kullan\u0131c\u0131 hesaplar\u0131, loglama ve izleme taraf\u0131n\u0131 da birlikte ele al\u0131yoruz.<\/p>\n<h2><span id=\"Ozet_ve_sonraki_adimlar\">\u00d6zet ve sonraki ad\u0131mlar<\/span><\/h2>\n<p>VPS \u00fczerinde sa\u011flam bir g\u00fcvenlik duvar\u0131 kural seti kurmak, karma\u015f\u0131k bir i\u015f olmak zorunda de\u011fil. Do\u011fru yakla\u015f\u0131m; \u00f6nce ihtiyac\u0131n\u0131z\u0131 netle\u015ftirmek (hangi portlara ger\u00e7ekten ihtiyac\u0131n\u0131z var, hangi IP\u2019lerden eri\u015fim olacak), sonra da\u011f\u0131t\u0131m\u0131n\u0131zla en uyumlu arac\u0131 se\u00e7mek (Ubuntu i\u00e7in ufw, RHEL tabanl\u0131 sistemler i\u00e7in firewalld, \u00e7ok \u00f6zel durumlar i\u00e7in do\u011frudan iptables\/nftables) ve en \u00f6nemlisi de <strong>IPv4\u2013IPv6 ikilisini birlikte d\u00fc\u015f\u00fcnmek<\/strong>. Geri kalan k\u0131s\u0131m, birka\u00e7 tekrar sonras\u0131 kas haf\u0131zas\u0131na d\u00f6n\u00fc\u015f\u00fcyor.<\/p>\n<p>DCHost olarak, altyap\u0131n\u0131z\u0131 kurarken yaln\u0131zca CPU, RAM, disk gibi metriklere de\u011fil; g\u00fcvenlik duvar\u0131, WAF, loglama ve yedekleme gibi b\u00fct\u00fcnsel g\u00fcvenlik katmanlar\u0131na da birlikte bak\u0131yoruz. Mevcut VPS\u2019inizde g\u00fcvenlik duvar\u0131n\u0131 yeniden tasarlamak veya yeni bir DCHost VPS\/dedicated sunucu \u00fczerinde s\u0131f\u0131rdan, dok\u00fcmante bir kural seti kurmak isterseniz, ekibimiz \u00f6rnek scriptler ve mimari \u00f6nerilerle yan\u0131n\u0131zda. Bir sonraki ad\u0131m olarak; bu rehberi uygulay\u0131p temel kural setinizi oturtun, ard\u0131ndan da \u00e7ok katmanl\u0131 savunma i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/web-uygulama-guvenlik-duvari-waf-nedir-cloudflare-waf-ve-modsecurity-ile-web-sitesi-koruma-rehberi\/\">WAF ve uygulama g\u00fcvenli\u011fi<\/a> yaz\u0131m\u0131za g\u00f6z at\u0131n. B\u00f6ylece VPS\u2019iniz hem h\u0131zl\u0131 hem de uzun vadede g\u00fcvenli bir zemine oturmu\u015f olur.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 VPS sunucularda g\u00fcvenlik duvar\u0131 neden kritik?2 Temel g\u00fcvenlik duvar\u0131 kavramlar\u0131 (ara\u00e7lardan ba\u011f\u0131ms\u0131z)3 ufw, firewalld ve iptables\u2019a genel bak\u0131\u015f3.1 ufw nedir, hangi senaryolarda \u00f6ne \u00e7\u0131kar?3.2 firewalld nedir, hangi da\u011f\u0131t\u0131mlarda kar\u015f\u0131m\u0131za \u00e7\u0131kar?3.3 iptables nedir, ne zaman do\u011frudan kullan\u0131l\u0131r?4 Hangi da\u011f\u0131t\u0131mda hangi arac\u0131 kullanmal\u0131?5 \u0130yi bir VPS g\u00fcvenlik duvar\u0131 tasar\u0131m\u0131 nas\u0131l olmal\u0131?6 ufw ile ad\u0131m ad\u0131m VPS [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3491,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-3490","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/3490","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=3490"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/3490\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/3491"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=3490"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=3490"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=3490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}