/ DigitalOcean

Locking down an Ubuntu Web Server with UFW

The Internet is full of hackers looking to break into an unprotected server on the internet to use for their own evil uses. Updating the server automatically is a good start but firewalling the server will also protect your server from multiple problems.

One way to secure a Web Server is to use UFW or Uncomplicated Firewall. UFW is a simple and easy to use firewall application that uses iptables for configuration according to Wikipedia.

Installation

UFW should be installed by just in case, run to ensure that it is:

sudo apt-get install ufw

Once that is done, run  sudo ufw status to confirm that it is installed and running. You should get the output

Status: inactive

Now run the command  sudo nano /etc/default/ufw –  this will open the configuration file in the nano editor. Look for the line

IPV6=yes

If it is set to no, change it to yes. This enables UFW for IP6 as well as IP4.

Firewall Configuration
UFW has some default rules built-in by default to make life a little easier. These rules deny all incoming connections and allow all outgoing connections.What this means is that nobody can connect to your server but software installed on your server can connect out to the world

*sudo ufw default deny incoming *

sudo ufw default allow outgoing

Now the server is totally secure since nobody can connect, but its not very useful.
So to allow us to connect to the server via SSH for administration purposes, run the command
*sudo ufw allow ssh *
This allows connection to SSH on its standard port of 22. However, If you have moved SSH to a different port, then to allow SSH to connect, run the command
*sudo ufw allow XXXX/tcp* where XXXX is the port number.

Now since we are securing a web server, it would help if the firewall would allow browsers to connect to the webserver, so to allow web connection, you run the commands: *sudu ufw allow 80/tcp (For regular web traffic)*sudo ufw allow 443/tcp (For encrypted web traffic/SSL)

Now run to enable the new firewall rules, run the command

sudo ufw enable

Checking that the firewall is active

You can then check if the rules are active by running

sudo ufw status

or if you want even more details

sudo ufw status verbose