Quick tip: Secure your Ubuntu instance with UFW

Written by
Written on
Tutorial Category Security
Experience level Beginner

Introduction

UFW (Uncomplicated FireWall) is an interface to iptables which allows you to simply and predictably create firewall rules that protect your server. Any conscientious server operator should consider getting firewall rules added as soon as possible, and UFW allows you to do this quickly and easily.

What you’ll need:

  • An Ubuntu 16.04 server
  • SSH access to said server
  • A sudo-level user that can make system-wide changes

Let’s get started!

Configure UFW

UFW is installed by default on Ubuntu 16.04, so we don’t need to do any installing – hooray!

First, let’s ensure that any rules we make will also be applied to IPv6 connections. This is turned off by default. Use your favourite editor to open the following file:

$ sudo pico /etc/default/ufw

In that file, find the line IPV6, and make sure that’s set to yes.

Second, we need to set up some default policies that provide a good starting point for a new server. This will reset anything you’ve previously configured with UFW, but I’m hoping as you’re reading an entry-level UFW tutorial you haven’t already done that! Enter the following commands:

$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing

Now, we need to make sure that SSH connections aren’t blocked from this point onwards. If you were to enable your UFW rules without allowing SSH, you’ll be kicked out of your SSH session and you won’t be able to get back in again!

Let’s add that rule now:

$ sudo ufw allow ssh

Right, you’ll be able to log into your server when we finally enable UFW. Sweet. Now let’s let people access your server on the standard HTTP and HTTPs ports.

Configure HTTP and HTTPs

Very similar to allowing SSH:

$ sudo ufw allow http
$ sudo ufw allow https

Enable UFW

As you might have noticed, all of these steps so far have just been configuring UFW, rather than enabling it. For the rules to have any effect, we must enable the firewall:

$ sudo ufw enable

Conclusion

You’ve secured your server by only allowing SSH, HTTP and HTTPs access. In future articles I’ll dive a bit deeper into UFW and how to lock down access even more. Until then, enjoy your (more) secure server!

%d bloggers like this: