brent Posted June 18, 2018 Share Posted June 18, 2018 The most important thing you need to know to firewall servers is;1. Who (ip address) you wish to allow or restrict access.2. What protocol (tcp / udp) and port is used by your server.A listing of ports is available here http://en.wikipedia....DP_port_numbersEnable your firewallIf you are accessing your server remotely be sure NOT to lock yourself outAssuming you are accessing via ssh, allow ssh (we will restrict ssh access below, for now just do not lock yourself out). sudo ufw allow 22 NOTE:::: If you need to reset your firewall:::: sudo ufw --force reset Now enable your firewall. Except for ssh, which you allowed with the above rule, this will deny all incoming (udp/tcp) traffic to your server. sudo ufw enable sudo default deny Public servers sudo ufw allow 80 Or if you wish, by protocol and port (most servers will be tcp). sudo ufw allow 80/tcp You may specify multiple ports (comma separated list): sudo ufw allow 80,443/tcp Or a range of ports, low:high: #Allow ports 6881 – 6999 (torrent) sudo ufw allow 6881:6999/tcp You may specify most services by name. By Name : sudo ufw allow ssh Some servers can be specified “by application”, although this is still by port and is not application specific. By that I mean : if you allow “Apache”, you open port 80, which can be used by any client application (firefox, wget, etc). List applications with - sudo ufw app list ufw app list Available applications: Apache Apache Full Apache Secure CUPS OpenSSHTo translate the cryptic output to English,Apache = http = port 80Apache Secure = https = port 443Apache Full = both portsAs you install servers, they will be added to the list.Now allow by application.Examples (you do not need to use all 3 rules): sudo ufw allow Apache #Note: Quotes are needed with “Apache Full” sudo ufw allow “Apache Full” sudo ufw allow from 192.168.0.0/24 app OpenSSH You may add custom applications or custom ports to /etc/ufw/application.d As an example, /etc/ufw/applications.d/apache2.2-common contains[Apache] title=Web Server description=Apache v2 is the next generation of the omnipresent Apache web server. ports=80/tcp [Apache Secure] title=Web Server (HTTPS) description=Apache v2 is the next generation of the omnipresent Apache web server. ports=443/tcp [Apache Full] title=Web Server (HTTP,HTTPS) description=Apache v2 is the next generation of the omnipresent Apache web server. ports=80,443/tcpSo if you changed the ssh port to 8822, add a file “ssh-custom”, at /etc/ufw/applications.d/ssh-custom [SSH Custom] title= SSH Custom port description=OpenSSH Server Custom port ports=8822/tcp you will now see “SSH Custom” when you list apps and can use it as above. Private servers Examples may included NFS, Samba, ssh, VNC, and VPN. I will use ssh and Apache as an examples.For these examples we will assume your LAN is 192.168.0.0/24 and your server is 192.168.0.10Here we almost always wish to restrict access to a single ip or perhaps range of IP. For example to restrict access for ssh to a single machine, say 192.168.0.20 sudo ufw allow proto tcp from 192.168.0.20 to 192.168.0.10 port 22 The syntax is protocol from <ip> to <server ip> port To allow ssh from any client on your your lan use: sudo ufw allow proto tcp from 192.168.0.0/24 to 192.168.0.10 port 22 Limiting access Limiting access comes in two flavors, the first is to limit a DOS or brute force attempt, and the other blacklisting.Brute ForceUFW will rate limit connection attempts:ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. ufw will deny connections if an IP address has attempted to initiate 6 or more connections in the last 30 seconds.Example (using ssh): sudo ufw limit ssh “Limit” opens the port, so you do not need a second rule. ufw status Status: active To Action From -- ------ ---- 22 LIMIT AnywhereThis output demonstrates –Port 22 is open and access is limited by ufw.BlacklistKeep in mind the order of your rules is critical. As such I like to block first, accept second. So for example let us assume we wish to block a misbehaving client on our LAN, 192.168.0.20: sudo ufw insert 1 deny from 192.168.0.20 Here “insert 1″ is specifying to ufw to insert the rule first (or near the top) of the chain. Using UFW in this way blocks only NEW connections.IMO better to use iptables or an application such as iplist article shown here http://ubuntuforums....ad.php?t=530183Block pingBy default, UFW allows ping requests. In order to block these requests you will need to edit /etc/ufw/before.rules sudo nano /etc/ufw/before.rules Change # ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT[/size] [/code to # ok icmp codes -A ufw-before-input -p icmp –icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp –icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp –icmp-type time-exceeded -j ACCEPT w-before-input -p icmp –icmp-type parameter-problem -j ACCEPT w-before-input -p icmp –icmp-type echo-request -j DROP Restart UFW sudo ufw disablesudo ufw enable Deleting rules Deleting a rule is also easy. Use the same syntax you used to add a rule to ufw with the word “delete” added.For example, using Apache as an example: # sudo ufw allow Apache Rule added # ufw status Status: active To Action From – —— —- 22 LIMIT Anywhere Apache ALLOW Anywhere # sudo ufw delete allow Apache Rule deleted # ufw status Status: active To Action From – —— —- 22 LIMIT Anywhere Logs ufw logs messages to/var/log/messagesand logging is enabled / disabled from the command line. sudo ufw logging on sudo ufw logging off The options are on, off, low, medium, high, and full. on = Low. From the ufw man pages :LOGGING ufw supports multiple logging levels. ufw defaults to a loglevel of ’low’ when a loglevel is not specified. Users may specify a loglevel with: ufw logging LEVEL LEVEL may be ’off’, ’low’, ’medium’, ’high’ and full. Log levels are defined as: off disables ufw managed logging low logs all blocked packets not matching the default policy (with rate limiting), as well as packets matching logged rules medium log level low, plus all allowed packets not matching the default policy, all INVALID packets, and all new connections. All logging is done with rate limiting. high log level medium (without rate limiting), plus all packets with rate limiting full log level high without rate limiting Loglevels above medium generate a lot of logging output, and may quickly fill up your disk. Loglevel medium may generate a lot of logging output on a busy system. Specifying ’on’ simply enables logging at log level ’low’ if logging is currently not enabled.IptablesNow that you have ufw under your belt, it is easier to understand iptables. If you are wanting to use iptables, best disable UFW first. sudo ufw disable #These iptables rules clean up after UFW, deleting the custom tables sudo iptables -F sudo iptables -X To deny all incoming traffic (take care not to lock yourself out form remote servers, allow ssh first !!!): sudo iptables -A INPUT -j DROP You can set a Policy with iptables, but doing so makes it easy to lock yourself out if you issue the command “iptables -F”. To allow ssh sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT To allow ssh only from your LAN: sudo iptables -A INPUT -s 192.168.0.0/24 -p tcp –dport 22 -j ACCEPT Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now