How to setup a UFW on an Ubuntu or Debian Cloud Server?
PreviousHow to setup time synchronization on Ubuntu 20.04?NextHow to setup SSH keys in Ubuntu 20.04?
Last updated
Last updated
The best way to protect your server is by using a good security solution that has a lot of features and will make it hard for attackers to get in. Therefore, you must use a tool like Uncomplicated Firewall (UFW) so that you can block all types of traffic coming into your server. UFW is a firewall application that is mainly used to manage your firewall capabilities, which will help you with troubleshooting and maintaining your server's security. It also allows you to create custom rules, which will help you control traffic on your server.
This tutorial will demonstrate how to build up a UFW for Ubuntu 20.04 or Debian 11 Cloud Server.
There are certain prerequisites that need to be met before you begin.
Ubuntu 20.04 or Debian 11 server configured with non-root sudo user privileges.
Stable internet connection.
Step 1: Configure UFW with IPv6
Virtual Private Servers (VPS) are designed to provide a high level of performance and stability. However, the best way to protect them is by ensuring your firewall is open for both IPv4 and IPv6 connections. In case your VPS is designed for IPv6, check if it supports IPv6 by navigating to the firewall's configuration file using the following command.
Make sure that IPv6 value is 'yes', save the file changes and exit.
Now, to restart the firewall, you need to disable it first:
Output:
Output:
Step 2: Define UFW default rules
Adding firewall rules for incoming and outgoing connections is a good practice to improve security and make your server more efficient. With the default UFW rules set in place, any external identity trying to reach your server will not be able to link to it. However, any internal application can connect externally. In a nutshell, these rules prevent incoming connections and allow outgoing connections.
To block all incoming connections, use the following command:
To allow outgoing connections, use the following command:
Step 3: Open the Firewall to Connections
To allow connections to your server, you need to be able to communicate with it which requires changing the firewall rules. For instance, if your firewall is enabled, it would block all incoming connections. And, if you are using SSH to connect to your server, it would create an obstacle as you'd be locked out of the server. To avoid this issue, enable SSH connections to your server.
UFW allows you to make changes to your firewall by using the command which comes with some defaults such as ssh. It also lets you allow incoming connection to port 22/tcp instead of using the ssh command.
You can either allow incoming connections to port 22/tcp or the ssh command (as in the previous example).
If you try and add this rule after you've already run ssh, you'll get the following output since the rule already exists:
In case your SSH server is configured and running on custom port 2222, you can allow connections using the following command. You can use the same syntax as above but substitute it with port 2222.
Note: Using the port number alone has an impact on both tcp and udp.
a. Ensure Web Server security
To secure your web server, SSH is considered as the primary solution. However, one another effective method to certify security is with File Transfer Protocol (FTP) access which allows you to access a server remotely.
For this, you need to authorize connections for port 80. This is useful if you have a web server application running such as Apache or Nginx that listens to connection requests over HTTP.
b. Set Up Port Ranges
With UFW, you can allow or deny communication for a certain port or range of ports. To allow access to specific range of ports, use the following syntax. To accomplish this, you must specify the port at the low end of the range and the high end of the range, separated by a colon (:).
Note: It is necessary to mention the protocol (TCP or UDP).
The following command will authorize TCP or UDP access to ports ranging from 3000 to 4005.
c. Set up IP Addresses
Access to certain IP addresses can be authorized within your firewall settings which means that you can allow connections from a specific IP address, for instance, 192.168.0.170 or 172.16.254.10. Make sure to substitute the IP address with the one you wish to set up.
Step 4: Invalidating connections to specific ports
Denying access to a specific port can stop an external application to attack, or help you quickly restrict port usage. You can use the following command to restrict access to any port.
Step 5: Delete rules
If you wish to eliminate any rule, you can use the delete command and specify the rule after it.
If there are multiple rules, you can use the numbered list approach in which you can inspect the list of rules that are currently allowed.
You can then mention the rule number to delete that specific rule.
The output diplays the deletion of rule number 23.
Step 6: Enable UFW
Now, that you have set up all the rules for your firewall, you can enable UFW so that the changes can propagate to your firewall.
Output:
Verify your changes by checking the status that will display all the defined rules.
Output:
Now, to disable the firewall, run this command.
Output:
Step 7: Restoring default server rules
If you wish to reset the rules to their default setting, run the following command. Press y if prompted to proceed with the reset.
In this tutorial, we've delved into the concept of Uncomplicated Firewall. You can use it lock down or restrict access any inbound connection to your cloud server. Regardless of its uses, the commands are fairly simple and easy to understand if you follow the above steps as stated.
Turn back the firewall on:
The UFW firewall is successfully set up and configured to support IPv4 as well as IPv6. The next step is to set up some default connections rules for your firewall.
