Every internet exposed server is a target and it will be “under fire”, eventually.
One of the essential tools to protect a server is a firewall. There are some types of firewalls. These can be dedicated hardware or local software running on the server.
Linux has a very well known firewall called iptables, but it can be a bit tricky to set it up.
Luckily UFW can be used and this will make our life much easier as this is a interface for iptables. If you’re curious, check current iptables configuration, running:
$ sudo iptables -L
On a fresh install, UFW is disabled by default and it doesn’t have any configuration. Before enabling UFW, SSH access should be added, to avoid being locked out of the server.
Allow SSH service:
$ sudo ufw allow ssh
If this the server is a web server, http and https should be open as-well.
$ sudo ufw allow http
$ sudo ufw allow http
Now that we have added SSH, HTTP and HTTPS we can enable UFW.
$ sudo ufw enable
To view what is currently enabled, we can check its status:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
We now have a simple setup made with UFW, but behind the scenes, iptables have been modified with a couple more lines. Running that same command that we run at the start, we can now compare the changes:
sudo iptables -L