قالب وردپرس درنا توس
Home / Tips and Tricks / How to secure your Linux server with a UFW firewall – CloudSavvy IT

How to secure your Linux server with a UFW firewall – CloudSavvy IT



Shutterstock / Anatolir

UFW, short for “uncomplicated firewall”

;, is a front end for the more complex ones iptables Usefulness. It is designed to make managing a firewall as easy as setting open and closed ports and regulating allowed traffic.

Set up UFW

UFW installs by default in Ubuntu, but if it doesn’t, you can install it from apt::

sudo apt-get install ufw

If you run a different distribution you will have to use that distribution’s package manager, but UFW is widely used. You can check the status of the firewall with:

sudo ufw status

What “Inactive” should say if you haven’t configured it already.

A good starting point for any firewall is to close all inbound traffic and allow outbound traffic. Don’t worry, this will not interrupt your SSH connection immediately as the firewall is not yet activated.

sudo ufw default deny incoming
sudo ufw default allow outgoing

This gives us a blank board to work with and add rules to.

Open ports with UFW

Use the command to open ports ufw allow. For example, you need to open port 22, so go ahead:

sudo ufw allow 22

You can also leave a note for your future self when adding a rule:

sudo ufw allow 8080/tcp comment 'Open port for Express API'

Many applications install profiles for UFW, including SSH. So you can also allow certain applications to open the required ports by specifying the name:

sudo ufw allow ssh

You can display a list of the available applications with ufw app listand display details of an application with ufw app info [name].

You can also allow a wide variety of ports using a colon as a separator, and you can specify a protocol. For example, to only allow TCP traffic on ports 3000 through 3100, you could do the following:

sudo ufw allow 3000:3100/tcp

Since the default setting is to reject incoming messages, you do not have to manually close any ports. If you want to close an outgoing port, you have to specify a direction next to it ufw reject::

sudo ufw reject out 3001

Whitelisting and rate limiting with UFW

You can assign different permissions to specific IP addresses. For example, to allow all traffic from your IP address, you can do the following:

sudo ufw allow 192.168.1.1

To whitelist certain ports, you need to use the more comprehensive syntax:

sudo ufw allow proto tcp from 192.168.1.1 to any port 22

You probably don’t want to whitelist SSH access this way unless you’ve set up a backup connection or some kind of port knocking, as IP addresses change frequently. One option if you want to limit SSH access to just you is to set up an OpenVPN server on the same private cloud and allow whitelisted access to that server.

If you want to whitelist an entire block of IP addresses, as is the case when you run your servers through a virtual private cloud provider, you can use the standard CIDR subnet notation:

sudo ufw allow 192.168.0.0/24

Subnets are pretty complicated, so you can read our guide on how to work with them to learn more.

Rate limiting is another useful feature of firewalls that can block connections that are obviously fraudulent. This is used to protect against an attacker who is trying to brutally force an open SSH port. Of course, you can whitelist the port to fully protect it, but rate limiting is still useful. By default, the UFW rate limits 6 connections per 30 seconds and is intended for SSH:

sudo ufw limit ssh

Switch on UFW

Once you’ve configured your rules, you can enable UFW. Make sure SSH is open on port 22or you’ll lock yourself out. If you’d like, you can disable UFW from running at boot so a reset can fix potential problems:

sudo systemctl disable ufw

You can then activate UFW with:

sudo ufw enable

If all is well, you can run ufw status to view the current status of the firewall. If you are unlocked and the firewall is running, set it to run at boot with:

sudo systemctl enable ufw

Every time you make changes you have to reload the firewall with:

sudo ufw reload

You can also enable logging to record connections /var/log/::

sudo ufw logging on

Manage and delete rules

If you want to delete a rule you have to get its number with:

sudo ufw status numbered

Notice that the numbers start at 1, not 0. You can delete a rule by numbers:

sudo ufw delete [number]

Again, make sure you don’t delete your rule and keep port 22 open. You can use the … --dry-run Parameters for UFW to ask you for confirmation:

If you make any changes, you will need to reload the firewall.


Source link