After simplifying and hardening the login process to your VPS software, the next step is to start enable defensive software which can keep unwanted guests outside. This can be done with the a functional firewall. In the past this was often done through complicated processes, tools and hard to read firewall rules. Firewalls are often based on IP tables. These are common sense these days, but require a decent effort to understand them. Guessing Firewall rules are something you don't want to guess.
The "Uncomplicated Firewall" or UFW, is an extra layer above the IP tables. Its main goal is to make managing your firewall damn-easy via a simple interface. It’s well supported and popular in the Linux community—even installed by default in a lot of distros.
Before we can start configuring UFW, we must check if UFW is installed on your system.
$ sudo ufw status Status: inactive
If you didn't got the same response as I did UFW is not installed. Installing is very simple
$ sudo aptitude install ufw
Setting up UFW
First thing to do is to set the default rule for deny all incoming connections.
$ sudo ufw default deny incoming
Doing this means anyone trying to reach your VPS would not be able to connect on any port, while any application within the server would be able to reach the outside world. You could deny all outgoing request, but the needs for this is debatable.
The syntax to enable port is simple. If we would turn on the firewall now, it would deny all incoming connections. If you’re connected over SSH to your VPS server, that would be a huge problem because you would be locked out. It's therefore important to enable SSH connections to our VPS server to prevent that from happening:
$ sudo ufw allow ssh
You can see, that the syntax for adding services is simple. UFW comes with some defaults for common use-cases. This is basically just a shorthand for:
$ sudo ufw allow 22/tcp
Other Connections we need to let everything work as designed are the HTTP & HTTPS ports;
$ sudo ufw allow 80/tcp $ sudo ufw allow 443/tcp
To enable logging we need to set;
$ sudo ufw logging on
The basic configuration is set and we can enable UFW. Enabling UFW will give you a warning that it could disrupt existing SSH connections. If the SSH port is enabled in the UFW config, there is no issue.
$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
After enabling we can review the firewall rules:
$ sudo ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 80 ALLOW Anywhere 443 ALLOW Anywhere 22 (v6) ALLOW Anywhere (v6) 80 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6)
At this point we've got our basic firewall in place. The firewall rules allow ssh, http and https traffic. All other ports are blocked, because a basic webserver doesn't need others.
More UFW options & detailed information can be found here: https://help.ubuntu.com/14.04/serverguide/firewall.html