{"id":37,"date":"2019-02-03T17:03:00","date_gmt":"2019-02-03T17:03:00","guid":{"rendered":"https:\/\/hostup.org\/blog\/?p=37"},"modified":"2024-04-03T12:55:00","modified_gmt":"2024-04-03T12:55:00","slug":"more-in-depth-configuration-of-ubuntu-firewall-ufw","status":"publish","type":"post","link":"https:\/\/hostup.se\/en\/blog\/more-in-depth-configuration-of-ubuntu-firewall-ufw\/","title":{"rendered":"More in Depth Configuration of Ubuntu Firewall (UFW)"},"content":{"rendered":"\n<p>Hi there again! In this tutorial, I am going to move in depth cover how to  configure UFW (<a href=\"https:\/\/wiki.ubuntu.com\/UncomplicatedFirewall\" target=\"_blank\" rel=\"noopener\">UncomplicatedFirewall<\/a> ). If you have already installed UFW, then you can skip the first section.<\/p>\n\n\n\n<p>This is tested to work with Ubuntu 16.04-18.04, although it may work on other versions too!<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"Install_UFW\">Installation of UFW and Basic Information<\/h2>\n\n\n\n<p>You can check if you already have installed the firewall by running:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>which ufw<\/code><\/pre>\n\n\n\n<p>If it outputs <strong>\/usr\/sbin\/ufw<\/strong> then it is already installed, if not run the following:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo apt-get install ufw<\/code> <\/pre>\n\n\n\n<p>You can view the status of your firewall by running<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo ufw status<\/code> <\/pre>\n\n\n\n<p>It will output either<strong> status: inactive<\/strong> or <strong>status: active<\/strong><\/p>\n\n\n\n<p>To start the firewall again you simply need to send the following command:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo service ufw start<\/code> <\/pre>\n\n\n\n<p>To stop your Ubuntu firewall:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo service ufw stop<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"mce_2\">Allow Connections<\/h2>\n\n\n\n<p>When you want to allow connections you simply type<code><strong>sudo ufw allow<\/strong><\/code> , followed with the port OR program you wish to allow. An example of this is SSH.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo ufw allow ssh\/tcp <\/pre>\n\n\n\n<p>Or you can allow it using the port.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo ufw allow 22\/tcp  <\/pre>\n\n\n\n<p>Below you can find a list of the most common ports, the source is utilizewindow.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><th>Port<\/th><th>Service name<\/th><th>Transport protocol<\/th><\/tr><tr><td>&nbsp;20, 21<\/td><td>&nbsp;File Transfer Protocol (FTP)<\/td><td>&nbsp;TCP<\/td><\/tr><tr><td>&nbsp;22<\/td><td>&nbsp;Secure Shell (SSH)<\/td><td>&nbsp;TCP and UDP<\/td><\/tr><tr><td>&nbsp;23<\/td><td>&nbsp;Telnet<\/td><td>&nbsp;TCP<\/td><\/tr><tr><td>&nbsp;25<\/td><td>&nbsp;Simple Mail Transfer Protocol (SMTP)<\/td><td>&nbsp;TCP<\/td><\/tr><tr><td>&nbsp;50, 51<\/td><td>&nbsp;IPSec<\/td><\/tr><tr><td>&nbsp;53<\/td><td>&nbsp;Domain Name System (DNS)<\/td><td>&nbsp;TCP and UDP<\/td><\/tr><tr><td>&nbsp;67, 68<\/td><td>&nbsp;Dynamic Host Configuration Protocol (DHCP)<\/td><td>&nbsp;UDP<\/td><\/tr><tr><td>&nbsp;69<\/td><td>&nbsp;Trivial File Transfer Protocol (TFTP)<\/td><td>&nbsp;UDP<\/td><\/tr><tr><td>&nbsp;80<\/td><td>&nbsp;HyperText Transfer Protocol (HTTP)<\/td><td>&nbsp;TCP<\/td><\/tr><tr><td>&nbsp;110<\/td><td>&nbsp;Post Office Protocol (POP3)<\/td><td>&nbsp;TCP<\/td><\/tr><tr><td>&nbsp;119<\/td><td>&nbsp;Network News Transport Protocol (NNTP)<\/td><td>&nbsp;TCP<\/td><\/tr><tr><td>&nbsp;123<\/td><td>&nbsp;Network Time Protocol (NTP)<\/td><td>&nbsp;UDP<\/td><\/tr><tr><td>&nbsp;135-139<\/td><td>&nbsp;NetBIOS<\/td><td>&nbsp;TCP and UDP<\/td><\/tr><tr><td>&nbsp;143<\/td><td>&nbsp;Internet Message Access Protocol (IMAP4)<\/td><td>&nbsp;TCP and UDP<\/td><\/tr><tr><td>&nbsp;161, 162<\/td><td>&nbsp;Simple Network Management Protocol (SNMP)<\/td><td>&nbsp;TCP and UDP<\/td><\/tr><tr><td>&nbsp;389<\/td><td>&nbsp;Lightweight Directory Access Protocol<\/td><td>&nbsp;TCP and UDP<\/td><\/tr><tr><td>&nbsp;443<\/td><td>&nbsp;HTTPs Secure Sockets Layer (SSL)<\/td><td>&nbsp;TCP and UDP<\/td><\/tr><tr><td>&nbsp;3389<\/td><td>&nbsp;Remote Desktop Protocol<\/td><td>&nbsp;TCP and UDP<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>So let us say we want to enable HTTP. We can see in the list above that port 80 has protocol name HTTP. To allow this we need to do the same thing as we did above. Example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo ufw allow HTTP\/tcp<\/pre>\n\n\n\n<p>OR<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"> sudo ufw allow 80\/tcp <\/pre>\n\n\n\n<p>A general equation for this would be <code><strong>sudo ufw allow (SERVICENAME\/PORT)\/(TRANSPORT PROTOCOL)<\/strong><\/code>. You can also find what transport protocol you should use in the list above. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"mce_8\">Block Connections<\/h2>\n\n\n\n<p>When you want to block connections you simply type<code><strong>sudo ufw deny<\/strong><\/code>, followed with the port or program you wish to block, just as shown above.<\/p>\n\n\n\n<p>If you want to block a specific IP:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo ufw deny from 88.88.88.88<\/code><\/pre>\n\n\n\n<p>Just remember to replace <code><strong>88.88.88.88<\/strong><\/code> With the IP address of your choice. You can also block a whole subnet:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo ufw deny from 88.88.88.0\/24<\/code> <\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Rate limiting with UFW<\/h2>\n\n\n\n<p>Another good feature to include is rate limiting. This would make it so if an IP address has attempted to initiate &gt;6 connections within the last 30 seconds it would be blocked temporarily. This can be very useful for SSH as it makes brute-forcing almost impossible. <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ufw limit ssh<\/pre>\n\n\n\n<p>Or limiting by port:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ufw limit 22<\/pre>\n\n\n\n<p>You can change the service <strong>ssh<\/strong> or <strong>22 <\/strong>to the service you want to limit.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Setting up the Host Firewall to Protect Against Internal Threats<\/h2>\n\n\n\n<p>If you are not behind a properly setup hardware firewall, you may solve this by software configurations by setting the <strong>default_output_policy=drop<\/strong> to control all box i\/o. <\/p>\n\n\n\n<p>This assumes you&#8217;re on a <strong>10.x.x.x<\/strong> network and during setup, you only need yourself to be able to access the box via ssh. Change <strong>10.x.x.x<\/strong>  to suit your config as shown below.<\/p>\n\n\n\n<p>Open the configuration file by running:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo nano \/etc\/default\/ufw<\/code><\/pre>\n\n\n\n<p>Make sure that Your default output policy is set to drop, like this: <code><strong>DEFAULT_OUTPUT_POLICY=\"DROP\"<\/strong><\/code> <\/p>\n\n\n\n<p>Save by pressing  <bawt-key>CTRL<\/bawt-key> + <bawt-key>X<\/bawt-key> and follow the instructions prompted on the screen.<\/p>\n\n\n\n<p>Back at the terminal run the following commands:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo ufw allow proto tcp from 10.x.x.x to any port 22<\/code><br><code>sudo ufw enable<\/code><br><code>sudo service ufw start<\/code><br><code>sudo ufw logging medium<\/code><\/pre>\n\n\n\n<p>Make sure to change <code><strong>10.x.x.x<\/strong>&nbsp;<\/code>to your own IP address or domain name.<br><\/p>\n\n\n\n<p>If you don&#8217;t already have a VPS, or want to reward us for hard work and ad free experience you can buy a <a href=\"https:\/\/hostup.se\/en\/vps\/\">VPS<\/a> from us. We would really appreciate it as we don&#8217;t have any donation buttons and this is our only source of income. Our VPSes are located in Stockholm, and we even have a <a href=\"https:\/\/hostup.se\/vps\/\">Swedish branded site <\/a>if you&#8217;re from Sweden.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi there again! In this tutorial, I am going to move in depth cover how to configure UFW (UncomplicatedFirewall ). If you have already installed UFW, then you can skip the first section. This is tested to work with Ubuntu 16.04-18.04, although it may work on other versions too! Installation of UFW and Basic Information [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":157,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10,17],"tags":[],"class_list":["post-37","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials","category-linux"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/hostup.se\/en\/blog\/wp-json\/wp\/v2\/posts\/37","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hostup.se\/en\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hostup.se\/en\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hostup.se\/en\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hostup.se\/en\/blog\/wp-json\/wp\/v2\/comments?post=37"}],"version-history":[{"count":3,"href":"https:\/\/hostup.se\/en\/blog\/wp-json\/wp\/v2\/posts\/37\/revisions"}],"predecessor-version":[{"id":418,"href":"https:\/\/hostup.se\/en\/blog\/wp-json\/wp\/v2\/posts\/37\/revisions\/418"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hostup.se\/en\/blog\/wp-json\/wp\/v2\/media\/157"}],"wp:attachment":[{"href":"https:\/\/hostup.se\/en\/blog\/wp-json\/wp\/v2\/media?parent=37"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hostup.se\/en\/blog\/wp-json\/wp\/v2\/categories?post=37"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hostup.se\/en\/blog\/wp-json\/wp\/v2\/tags?post=37"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}