After simplifying and hardening the login process to your VPS software, the next step is to start enable defensive software which can keep unwanted guests outside. This can be done with the a functional firewall. In the past this was often done through complicated processes, tools and hard to read firewall rules. Firewalls are often based on IP tables. These are common sense these days, but require a decent effort to understand them. Guessing Firewall rules are something you don't want to guess.


The "Uncomplicated Firewall" or UFW, is an extra layer above the IP tables. Its main goal is to make managing your firewall damn-easy via a simple interface. It’s well supported and popular in the Linux community—even installed by default in a lot of distros.


Before we can start configuring UFW, we must check if UFW is installed on your system.

$ sudo ufw status
Status: inactive

If you didn't got the same response as I did UFW is not installed. Installing is very simple $ sudo aptitude install ufw

Setting up UFW

First thing to do is to set the default rule for deny all incoming connections.

$ sudo ufw default deny incoming

Doing this means anyone trying to reach your VPS would not be able to connect on any port, while any application within the server would be able to reach the outside world. You could deny all outgoing request, but the needs for this is debatable.

The syntax to enable port is simple. If we would turn on the firewall now, it would deny all incoming connections. If you’re connected over SSH to your VPS server, that would be a huge problem because you would be locked out. It's therefore important to enable SSH connections to our VPS server to prevent that from happening:

$ sudo ufw allow ssh

You can see, that the syntax for adding services is simple. UFW comes with some defaults for common use-cases. This is basically just a shorthand for:

$ sudo ufw allow 22/tcp

Other Connections we need to let everything work as designed are the HTTP & HTTPS ports;

$ sudo ufw allow 80/tcp
$ sudo ufw allow 443/tcp

To enable logging we need to set;

$ sudo ufw logging on

Enable UFW

The basic configuration is set and we can enable UFW. Enabling UFW will give you a warning that it could disrupt existing SSH connections. If the SSH port is enabled in the UFW config, there is no issue.

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

After enabling we can review the firewall rules:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)

At this point we've got our basic firewall in place. The firewall rules allow ssh, http and https traffic. All other ports are blocked, because a basic webserver doesn't need others.

More UFW options & detailed information can be found here:

Top image source