In Ubuntu, there is a firewall that comes preloaded. It’s called UFW (Uncomplicated Firewall). Although UFW is a pretty basic firewall, it is user friendly, excels at filtering traffic, and has good documentation. Some basic Linux knowledge should be enough to configure this firewall on your own.
Notice that UFW is typically installed by default in Ubuntu. But if anything, you can install it yourself. To install UFW, run the following command.
sudo apt-get install ufw
If you are running a web server, you obviously want the world to be able to access your website(s). Therefore, you need to make sure that the default TCP port for web is open.
sudo ufw allow 80/tcp
In general, you can allow any port you need by using the following format:
sudo ufw allow <port>/<optional: protocol>
If you need to deny access to a certain port, use this:
sudo ufw deny <port>/<optional: protocol>
For example, let’s deny access to our default MySQL port.
sudo ufw deny 3306
UFW also supports a simplified syntax for the most common service ports.
root@127:~$ sudo ufw deny mysql
Rule updated
Rule updated (v6)
It is highly recommended to restrict access to your SSH port (by default it’s port 22) from anywhere except your trusted IP addresses (example: office or home).
Typically, you would need to allow access only to publicly open ports such as port 80. Access to all other ports need to be restricted or limited. You can whitelist your home/office IP address (preferably, it is supposed to be a static IP) to be able to access your server through SSH or FTP.
sudo ufw allow from 192.168.0.1 to any port 22
Let’s also allow access to the MySQL port.
sudo ufw allow from 192.168.0.1 to any port 3306
Looks better now. Let’s move on.
Before enabling (or restating) UFW, you need to make sure that the SSH port is allowed to receive connections from your IP address. To start/enable your UFW firewall, use the following command:
sudo ufw enable
You will see this:
root@127:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Type Y, then press Enter to enable the firewall.
Firewall is active and enabled on system startup
Take a look at all of your rules.
sudo ufw status
You will see output similar to the following.
sudo ufw status
Firewall loaded
To Action From
-- ------ ----
22:tcp ALLOW 192.168.0.1
22:tcp DENY ANYWHERE
Use the “verbose” parameter to see a more detailed status report.
sudo ufw status verbose
To disable (stop) UFW, run this command.
sudo ufw disable
If you need to reload UFW (reload rules), run the following.
sudo ufw reload
In order to restart UFW, you will need to disable it first, and then enable it again.
sudo ufw disable
sudo ufw enable
Again, before enabling UFW, make sure that the SSH port is allowed for your IP address.
To manage your UFW rules, you need to list them. You can do that by checking UFW status with the parameter “numbered”. You will see output similar to the following.
root@127:~$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN 192.168.0.1
[ 2] 80 ALLOW IN Anywhere
[ 3] 3306 ALLOW IN 192.168.0.1
[ 4] 22 DENY IN Anywhere
Noticed the numbers in square brackets? Now, to remove any of these rules, you will need to use these numbers.
sudo ufw delete [number]
If you use IPv6 on your VPS, you need to ensure that IPv6 support is enabled in UFW. To do so, open the config file in a text editor.
sudo nano /etc/default/ufw
Once opened, make sure that IPV6 is set to “yes”:
IPV6=yes
After making this change, save the file. Then, restart UFW by disabling and re-enabling it.
sudo ufw disable
sudo ufw enable
If you need to go back to default settings, simply type in the following command. This will revert any of your changes.
sudo ufw reset
Overall, UFW is able to protect your VPS against the most common hacking attempts. Of course, your security measures should be more detailed than just using UFW. However, it is a good (and necessary) start.
If you need more examples of using UFW, you can refer to UFW – Community Help Wiki.
]]>