One important thing to secure your server is installing a firewall. I’ll showing here how to install an easy one, like UFW. UFW stands for Uncomplicated Firewall. It’s a good alternative that won’t make us sweat blood to make it fully operative.
First of all, install the necessary software (I’m using Ubuntu Server 12.04 for this guide, some things will be fully compatible with your system, but others won’t, if you have another distribution):
$ sudo apt-get install ufw
First of all, make sure the firewall is disabled, so we will set up all the needed rules, and enable them all at a time.
$ sudo ufw status
If it’s active, we have to disable it by doing:
$ sudo ufw disable
We will allow all outgoing connections (from our server to outside), but will allow only some connections from outside to our server, so first we will configure rules to allow all outgoing connections and restrict ingoing connections:
$ sudo ufw default allow outgoing
$ sudo ufw default deny incomig
Then we have to specify the ports we will allow:
- If we want to have ssh access, usually we have to allow 22/tcp or “ssh” (if we’ve changed the ssh port, then allow your ssh port.
- If we have a web server allow 80/tcp or “http” and 443/tcp or “https” for secure connections.
- If we have a mail server allow 25/tcp or “smtp” and 143/tcp or “imap”, optionally 110/tcp or “pop3”
- and so on. We can find the alias of the ports in /etc/services
Let’s see an example:
$ sudo ufw allow ssh
$ sudo ufw allow http
$ sudo ufw allow smtp
$ sudo ufw allow imap
$ sudo ufw allow mysql
Remember it’s not needed to allow mysql if you are not going to connect mysql from outside. For example, if your websites are connecting mysql with “localhost”, it’s recommended to have mysql denied.
Then, if we are done:
$ sudo ufw enable
Then if we request the status, we will get something like this:
$ sudo ufw status
Status: active
To Action From
— —— —-
22 ALLOW Anywhere
80 ALLOW Anywhere
25/tcp ALLOW Anywhere
143 ALLOW Anywhere
110 ALLOW Anywhere
22 ALLOW Anywhere (v6)
80 ALLOW Anywhere (v6)
25/tcp ALLOW Anywhere (v6)
143 ALLOW Anywhere (v6)
110 ALLOW Anywhere (v6)
That’s it, but we can do something more:
Allow port ranges
If you want to open or close a port range just do:
$ sudo ufw allow 5080:10000/tcp
or
$ sudo ufw close 5080:10000/tcp
Allow a port by one IP
If we want to enable a service for a certain IP, for example, if this is a database server and our web server is in another instance or host, we must open mysql port only for our http server, like that:
$ sudo ufw allow from 123.123.123.123 to any port mysql
and our ufw status will have this line:
3306 ALLOW 123.123.123.123
Allow IP range
If we want to enable some ips within the same subnetwork, for example, all IPs within a local network:
$ sudo ufw allow from 192.168.0.0/24 to any port ssh
So we will enable ssh for all IPs starting with 192.168.0.x.
Leave a Reply