Initializing a Firewall on an Ubuntu Cloud Server
TLDR: In this guide, I will give basic instructions and explanations for securing your server.
👉 I’m not a professional on internet security 👈
Let’s get stuck in…
When you launch a remote instance the firewalls are disabled and everything is open as they assume that you will need everything open for the initial setup, this kind of set-up would look like this.
As you can imagine this is the most un-secure setup you can have, this setup solely relies on the strength of your password, and should it not be a strong password it could be vulnerable to Brute-force attacks amongst many other kinds of exploits.
SIDE NOTE / Point of Interest:
You can Google ‘Brute Force Calculator’ and find a site that will let you know how strong your password is and how long it would take to crack should someone try brute force attack your login, take this one I found
A strong password is a non-negotiable 1st step in securing your server. There are many sites out there that will help you make a strong random password here is one I found through another Google search. A password like the one below would take an extremely long time to Bruteforce attack.
To get the firewall set up and going we will be using a really neat package called Uncomplicated Firewall (UFW). UFW should be installed by default on Ubuntu server. If it is not for some reason, you can install it with.
sudo apt install ufw
from there we can we will need to block all the open ports, and create exceptions for the ones we would like open, like port 22 for SSH etc.
For me, I have port 22 and port 8080 open as I need access to my server and have an application running on port 8080 that I need access to also.
First, we configure UFW then we turn it on. We do this to avoid being locked out. It sounds obvious I know but trust me you only need the headache of being locked out once to know this is the golden rule initializing a firewall.
So I’m going to close all ports first by typing
sudo ufw default deny incoming
Next, let’s add SSH or port 22
sudo ufw allow ssh
or
sudo ufw allow 22
Next, I would like to add my application that will be running on port 8080, you can add your application in the same way.
sudo ufw allow 8080
I think you get the picture.
Next, we need to activate the UFW we do this by typing
sudo ufw enable
Fingers crossed you should still be able to get into your server 🤞
At any point, you can see the status of your firewall by typing
sudo ufw status verbose
should UFW be off, you will receive a message something like
OutputStatus: inactive
should it be working
OutputStatus: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
8080/tcp ALLOW IN Anywhere
A good way to check that your firewall is working correctly is to test it.
Testing Your FireWall
At the time of writing this NetWorkAppers has a useful tool for doing this. You simply pop in your IP and the Port you would like to check. As you can see port 22 is open which mean I can SSH into my remote server! 🎉
Then pick another port that shouldn’t be open and test, I used 8085 and it was blocked. If this interests you and you would like to learn more Google Penetration testing.
Below is a nice visualization of what we have accomplished here and what you will be left with.
Congratulations you have a basic working firewall with hopefully a bit of understanding.
There are loads more settings and preferences you can use to `beef up` your security, some of these are found in the UFW config file.
sudo nano /etc/default/ufw
and others can be implemented via the CI or 3rd party packages such as
1. Failtoban
2. Disabling Root user
3. Public Key authentication
4. Geo-blocking
5. Reverse Proxies: I use Nginx but Traefik seems to be popular these days.
6. Cloudflare CDN
7. Moving SSH to a different port
All of the above I highly recommend for improved server security.
Be Safe & Good Luck ✌