Security is crucial when you are running your own virtual private server (VPS). As a bare minimum, you want to be sure that only authorized users can access your server, applications, configuration, and services. This helps you stay clear from not just hacking attempts but also application vulnerabilities.
On Ubuntu, a default firewall comes pre-installed for your server called Uncomplicated Firewall (UFW). Just like its name, UFW is a pretty basic firewall that can safeguard your server from the most common attacks linked to server ports and common services. It is easy to use, excels at filtering server traffic, and it's user-friendly.
However, some basic Linux knowledge may be required to configure uncomplicated firewall (UFW) on your server. This guide takes a deep look at how to open ports on your Ubuntu 20.04 server instance deployed at Vultr.
Deploy a Ubuntu 20.04 server on Vultr
A valid sudo user account (root privileges)
Pre-installed services such as web server, database, or storage applications.
By default, UFW is installed but disabled on Ubuntu 20.04, and you need to enable it before opening any ports on your server. But if anything, you can manually install UFW by running the following command.
$ sudo apt-get install ufw
$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Y, and proceed to allow connections to your server
Firewall is active and enabled on system startup
Please note, your current SSH will not be terminated automatically unless left idle for five or more minutes. If you don't allow SSH connections, you won't be able to log in to your server.
You can open specific ports on UFW to allow specific services to be accessed on your server. There are two ways, the simple syntax through which you specify just the port number and full syntax where you specify the port number and protocol.
You can allow connections through any port on your server by simply using the following format:
$ sudo ufw allow <port>
$ sudo ufw allow <port>/<protocol>
Assuming you are running a web server, you obviously want the world to access and interact with your website. Web server applications use port 80 for regular website traffic (HTTP) and port 443 for secure connections (HTTPS). This means you must open ports 80 and 443 to allow web connections to your server.
$ sudo ufw allow 80/tcp $ sudo ufw allow 443/tcp
Furthermore, to allow FTP connections, you need to allow port 21 and port 20, which are used by the transfer protocol.
$ sudo ufw allow 21/tcp $ sudo ufw allow 20/tcp
To allow SSH connections to your server, open port 22
$ sudo ufw allow 22/tcp
Preferably, you can allow connections by simply using the application name if you are unsure of its port number. For example, to enable MySQL:
$ sudo ufw allow mysql
You can also specify comments on your firewall rules to better explain your entry by simply using the
$ sudo ufw reject telnet comment `telnet is insecure and unencrypted, simply unsafe to use.`
To specify the direction of traffic, use the
out parameters, For example.
$ sudo ufw allow in ftp
$ sudo ufw allow out smtp
The same way it is important to open ports and allow connections to your server, denying connections also carries the same relevance. If you need to deny access to a certain port, use the deny command and optionally the transfer protocol.
$ sudo ufw deny <port>/<optional: protocol>
For example, to deny access to the default MySQL port.
$ sudo ufw deny 3306
The above command will block all connections to MySQL through the port, and the database server will receive incoming unless you assign a new custom port or re-enable it. For easier execution, you can use a simplified syntax for the most common service ports by simply listing the application name.
$ sudo ufw deny mysql Rule updated Rule updated (v6)
It is highly recommended to restrict access to your SSH port (22) from anywhere except your trusted IP addresses (example: office or home).
Typically, you would need to allow access only to publicly open ports such as port 80, which allows connections to your website. Access to all other ports needs to be restricted or limited. For example, you can choose to allow only your home or office public IP address (assigned by the service provider) to be able to access your server through SSH and download/upload files via FTP.
Allow an IP Address to access Port 22.
$ sudo ufw allow from 192.168.0.1 to any port 22
To also allow the same IP to access databases through the MySQL server port.
$ sudo ufw allow from 192.168.0.1 to any port 3306
Only allowed IP Addresses will be able to connect through the specified ports.
Now that you have enabled UFW and set some rules, check the current firewall table and operation.
$ sudo ufw status
Your output should be like the one below:
user@example:~$ sudo ufw status Status: active To Action From -- ------ ---- Apache DENY Anywhere 80 DENY Anywhere 22 ALLOW Anywhere 80/tcp ALLOW Anywhere
For a more detailed output, use the verbose parameter.
$ sudo ufw status verbose
Your output will be like:
user@example:~$ sudo ufw status verbose Status: active Logging: on (low) Default: deny (incoming), allow (outgoing), disabled (routed) New profiles: skip To Action From -- ------ ---- 80/tcp (Apache) DENY IN Anywhere 80 DENY IN Anywhere 22 ALLOW IN Anywhere 80/tcp ALLOW IN Anywhere 21 ALLOW IN Anywhere # FTP Connections 3306/tcp ALLOW IN Anywhere 21/tcp ALLOW IN Anywhere
To manage your UFW rules, you need to list them. You can do that by checking UFW status with the parameter
numbered. This allows you to select a rule by entry number.
$ sudo ufw status numbered
Your output should be like the one below.
user@example:~$ sudo ufw status numbered Status: active To Action From -- ------ ---- [ 1] Apache DENY IN Anywhere [ 2] 80 DENY IN Anywhere [ 3] 22 ALLOW IN Anywhere [ 4] 80/tcp ALLOW IN Anywhere [ 5] 21 ALLOW IN Anywhere # FTP Connections [ 6] 3306/tcp ALLOW IN Anywhere [ 7] 21/tcp ALLOW IN Anywhere [ 8] 25/tcp ALLOW OUT Anywhere (out)
Notice the numbers in square brackets? It's time to remove any of these rules you don't want on your firewall list; you will need to use the number associated with your target rule.
$ sudo ufw delete number
For example, let's remove the port 21 rule.
user@example:~$ sudo ufw delete 5 Deleting: allow 21 comment 'FTP Connections' Proceed with operation (y|n)?
Changes will automatically take effect.
By default, the Uncomplicated Firewall logging level is set to low. However, multiple logging levels are supported, and you have a preferred setting based on what firewall logs you wish to keep.
off disables ufw logging.
low logs blocked packets that don't match your set rules and packets matching logged rules.
medium logs low level, allowed packets that don't match the set policy, invalid packets, and all new connections to your server.
high logs medium without attempts/rate-limiting and all packets with attempt limiting.
full logs all firewall packets without rate/access attempts limiting.
To set your UFW logging level, use the command below.
$ sudo ufw logging LEVEL
$ sudo ufw logging medium
To enable logging for a specific firewall rule, such as SSH, use the command.
$ sudo allow log 22/tcp
If you use IPv6 on your server, you need to ensure that IPv6 support is enabled in the Uncomplicated Firewall (UFW). To do so, open the ufw configuration file in a text editor.
$ sudo vim /etc/default/ufw
Locate the IPV6 line and make sure it is set to yes
Save and close the file.
To disable (stop) Uncomplicated Firewall, run the command.
$ sudo ufw disable
If you need to reload UFW (reload rules), use the
$ sudo ufw reload
To restart UFW, you will need to disable it first and then enable it again.
$ sudo ufw disable $ sudo ufw enable
Again, before enabling UFW, make sure that the SSH port is allowed for your IP address.
If you need to reset UFW back to default settings, type the following command. This will delete all existing rules and reset the firewall to default values.
user@example:~$ ufw reset Resetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (y|n)?
UFW can protect your Ubuntu 20.04 server instance against the most common hacking attempts.