Securing a Linux Server Part 1: Firewall
Welcome to a new tutorial series, where I will show you what I have learnt so far about making sure that your linux server (and desktop too!) are secure so that nobody can get in (easily) and assume control.
Disclaimer: This tutorial series will not cover everything, and should not be taken to. There probably will be some mistakes in this post too. Check other guides online or consult a professional to make sure that your machine is secure. Please suggest improvements or point out mistakes in the comments.
To start this tutorial session off, I will talk about firewalls. Firewalls control how data is allowed to travel in and out of your computer. In Ubuntu, a firewall called ufw, the 'uncomplicated firewall' is already present. It acts as a nice frontend to iptables, which I find to be difficult to understand and use. We will be using that as our firewall.
I have done an asciinema recording on a virtual machine of this whole process:
Enabling the firewall
Ufw by default allows all outgoing connections and denys all incoming connections. This means that if you are using ssh to connect to your server, you will need to open the appropriate ports first before enabling ufw. Do that like this:
~$ sudo ufw allow 22/tcpUfw will automatically configure iptables to allow incoming connections on port 22 that use tcp. I will talk more about allowing and denying different connections later.
Just in case ufw blocks your ssh connection and you are unable to get back in, you can use another program called at to schedule the disabling of the ufw so that you can get back in again. If you don't have it installed, you can install it with sudo apt-get install at.
~$ sudo at -vM now +10 minutes
ufw disable
^DWhere ^D stands for CTRL + D. Now that you have it set such that ufw will disable itself in 10 minutes time, we go ahead and turn ufw on:
~$ sudo ufw enableIt will warn you that this may disrupt any existing ssh connections you have open. Reply yes to this. Once it have been enabled successfully, you should check that you can still ssh into your server (if that is the method that you are using to control it). If yes, great! If not, ufw will disable itself in 10 minutes and then you can try again.
Now that we have ufw enabled, we can cancel the at job we created to disable ufw. Type sudo atq to list the jobs you have schedules, and sudo atrm <number> to remove it, where <number> is the number of the jobs that you want to delete.
You may also want to cheeck the status of ufw to make sure that it is enabled, or to get a list of the rules that are currently in force. You can do that like this:
~$ sudo ufw status
Status: active
To Action From
-- ------ ----
80/tcp ALLOW Anywhere
80/tcp (v6) ALLOW AnywhereAllowing connections
Allowing connections through the firewall is easy. Simply type something like this:
~$ sudo ufw allow 80/tcpUfw will automatically configure iptables, in this example, to allow all connections on port 80 that use tcp. It will also configure it appropriately for both ipv4 and ipv6. Replace 80 with the port number you want to allow, and tcp with udp if needed. Ufw also understands several protocol names, and can configure itself accordingly:
~$ sudo ufw allow http
~$ sudo ufw allow imapDenying connections
Denying all connections on a given port is very similar., Simply type something like this:
~$ sudo ufw deny 4722/tcpThe above would deny all tcp connections on port 4722.
You can also prevent a particular ip from gaining access to your server:
~$ sudo ufw deny from 123.123.123.123The above would block all packets from the ip address 123.123.123.123. It works with IPv6 addresses too:
~$ sudo ufw deny from 2607:f8b0:4003:c05::65The above would block all packets from the ip address 2607:f8b0:4003:c05::65, which just happens to belong to Google.
Port Ranges
You can open a range of ports with a colon:
~$ sudo ufw allow 60000:61000/udpThe above will allow udp connections on any port in the range 60,000 - 61,000 (the ports used for mosh).
Deleting Rules
Deleting rules can be done like this:
~$ sudo ufw delete allow 4724/tcpThe above would delete the rule(s) allowing tcp connections on port 4724.
Summary
In this post, I have shown you how to activate and configure a simple firewall that is bundled with Ubuntu. Next time, I will talk about securing you ssh daemon.
If you spotted a mistake in this post, have a suggestion, or are having trouble following along, please leave a comment below.
Other useful posts
These posts helped me to understand and use the uncomplicated firewall: