قالب وردپرس درنا توس
Home / Tips and Tricks / How to protect your Linux server with a UFW firewall – CloudSavvy IT

How to protect your Linux server with a UFW firewall – CloudSavvy IT



Shutterstock / Anatolir

UFW, short for “uncomplicated firewall”

;, is a front end for the more complex iptables tool. It is designed to make it easy to manage a firewall such as setting gates to be open and closed and regulating which traffic is allowed to pass through.

Set UFW

UFW is installed by default in Ubuntu, but if it is not, you can install it from apt:

sudo apt-get install ufw

If you run another distro, you will need to use the distros package manager, but UFW is widely available. You can check the status of the firewall with:

sudo ufw status

Which should say “Inactive” if you have not configured it before.

A good place to start with any firewall is to close all incoming traffic and allow outgoing traffic. Do not worry, this will not terminate your SSH connection immediately, as the firewall is not activated yet.

sudo ufw default deny incoming
sudo ufw default allow outgoing

This gives us an empty slate to work with, and add rules on top.

Open ports with UFW

Use the command to open ports ufw allow. For example, you need to open port 22, so go ahead and run:

sudo ufw allow 22

You can also leave a note for your future self when adding any rule:

sudo ufw allow 8080/tcp comment 'Open port for Express API'

Many applications install profiles for UFW, SSH is one of them. So you can also allow some applications to open the ports they need by entering the name:

sudo ufw allow ssh

You can view a list of available applications with ufw app list, and view details of an application with ufw app info [name].

You can also allow a whole range of ports by using a colon as a separator and you can specify a protocol. For example, if you only allow TCP traffic on ports 3000 to 3100, you can run:

sudo ufw allow 3000:3100/tcp

Since the default setting is set to deny incoming, you do not need to close ports manually. If you wanted to close an outgoing port, you must enter a direction next to it ufw reject:

sudo ufw reject out 3001

Whitelisting and speed limit with UFW

You can allow certain IP addresses to have different permissions. For example, to allow all traffic from your IP address, you can drive:

sudo ufw allow 192.168.1.1

To whitelist specific ports, you must use the full syntax:

sudo ufw allow proto tcp from 192.168.1.1 to any port 22

You will probably not want to whitelist SSH access this way unless you have a backup connection or some form of port tapping, as IP addresses change quite often. An option if you want to restrict SSH access to you only is to set up an OpenVPN server in the same private cloud and whitelist access to that server.

If you want to whitelist an entire block of IP addresses, as is the case when running your servers through a virtual private cloud provider, you can default CIDR subnet notation:

sudo ufw allow 192.168.0.0/24

Subnets are quite complicated, so you can read our guide to working with them to learn more.

Price limitation is another useful feature in firewalls that can block connections that are obviously offensive. This is used to protect against an attacker attempting to break an open SSH port. Obviously, you can whitelist the gate to protect it completely, but speed limitation is still useful. By default, the UFW speed limits 6 connections per 30 seconds, and is intended for use with SSH:

sudo ufw limit ssh

Turn on UFW

When you have finished configuring your rules, you can enable UFW. Make sure SSH on port 22 is open, otherwise you lock yourself out. If you want, you can disable UFW running at startup so that a reset would resolve any issues:

sudo systemctl disable ufw

Then you can activate UFW with:

sudo ufw enable

If all goes well, you can run ufw status to display the current status of the firewall. If you are not excluded and the firewall is running, set it to run at startup with:

sudo systemctl enable ufw

Each time you make changes, you must reload the firewall with:

sudo ufw reload

You can also enable logging to log connections to /var/log/:

sudo ufw logging on

Manage and delete rules

To delete a rule, you must enter its number with:

sudo ufw status numbered

Note that the numbers start at 1, not 0. You can delete a rule by number:

sudo ufw delete [number]

Again, make sure you do not delete your rule so that port 22 is open. You can use --dry-run parameters for UFW to ask you for confirmation:

If you make any changes, you will need to reload the firewall.


Source link