![\"\"](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/11\/Linux-cheat-sheet.png\/public\")
<\/a><\/figure><\/div>\n\n\n\n\n\n<\/p>
Understanding the Importance of the Ubuntu Firewall<\/h2>
A firewall is a security system monitoring your server’s outgoing and incoming connections. It uses a set of predetermined rules to allow or block these connections.<\/p>
This tool is essential since a computer connected to the internet can receive and process requests from any source, including cyber attackers. Here are the benefits of having firewall protection:<\/p>
- \n
- Cyber threat protection<\/strong>. A firewall blocks malicious connections that cyber criminals use to launch a hacking attack or inject malware.<\/li>\n\n\n\n
- Traffic filtering<\/strong>. VPS users can set a custom rule to only allow specific connections to reach the server and block the others.<\/li>\n\n\n\n
- Access control<\/strong>. A system administrator can use a firewall to block outgoing traffic to prevent users on the server from accessing potentially malicious websites.<\/li>\n\n\n\n
- Data collection<\/strong>. A firewall tracks system events, which you can analyze to set more suitable rules.<\/li>\n<\/ul>
UFW is an application for Linux firewall configuration. It is pre-installed on Ubuntu 22.04 LTS and Debian 10 or later but disabled by default.<\/p>
Uncomplicated Firewall (UFW) utilizes a command-line interface (CLI) and uses iptables<\/a> for configuration. Iptables is Linux’s built-in firewall containing tables – storage for rules determining how to filter traffic.<\/p>
It also has a graphical user interface called GUFW, which users can install on their desktop environment. Meanwhile, UFW command line usage is for a remote server like VPS.<\/p>
How to Set Up Ubuntu Firewall on Different Ubuntu Versions<\/h2>
Before configuring firewall rules in Ubuntu, we must enable UFW. Although we will use Ubuntu 22.04 <\/strong>for this tutorial, the Linux commands<\/a> should also work for the older or later versions.<\/p>
UFW configuration on a remote server requires SSH connection using Terminal. Here’s how to do so on a Ubuntu system via Hostinger:<\/p>
- \n
- Open hPanel <\/strong>→ VPS<\/strong>.<\/li>\n\n\n\n
- Select the relevant VPS.<\/li>\n\n\n\n
- In the SSH access<\/strong> tab, copy the Terminal <\/strong>command similar to the following:<\/li>\n<\/ol>
ssh username@server-ip<\/pre>
- \n
- Open Terminal <\/strong>and paste the command. Press Enter<\/strong>.<\/li>\n\n\n\n
- Enter your SSH root password<\/strong>.<\/li>\n<\/ol>
\n![\"SSH](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2017\/01\/hostinger-vps-overview-screen-v2.png\/public\")
<\/a><\/figure><\/div>If you connect using SSH applications like PuTTY<\/a>, paste the server IP address <\/strong>into the designated field and use port 22 <\/strong>to connect. On the CLI, enter the root username and password<\/strong>. For security reasons, note that the password won’t show when you type it.<\/p>
\n\n\n
\nPro Tip<\/h4>\n
Hostinger’s users can use the Browser Terminal feature to run shell commands directly from their web browser without Terminal or SSH applications.<\/p>\n <\/div>\n\n\n\n<\/p>
Once connected, follow these steps to configure UFW on Ubuntu 22.04:<\/p>
- \n
- Activate UFW with the following command:<\/li>\n<\/ol>
sudo ufw enable<\/pre>
- \n
- If you receive a UFW command not found <\/strong>error, it means the firewall isn’t installed on your system. To install it, use the command below:<\/li>\n<\/ol>
sudo apt-get install ufw<\/pre>
- \n
- To confirm that the installation is successful, use this command to check the firewall status:<\/li>\n<\/ol>
sudo ufw status<\/pre>
\n![\"PuTTY](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2023\/08\/PuTTY-SSH-client-showing-the-UFW-status.png\/public\")
<\/a><\/figure><\/div>The default UFW policies block all incoming connections and allow outgoing connections, which are sufficient for most users. However, you must establish custom rules if you host network services or applications.<\/p>
![\"\"](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2023\/02\/VPS-hosting-banner.png\/public\")
<\/a><\/figure>How to Set Firewall Rules on Ubuntu With UFW<\/h2>
A firewall rule is an instruction to determine how your system treats connections – accepted or denied. In this section, we will explain how to create custom UFW rules based on ports, IP addresses, and services.<\/p>
Opening and Closing Ports with UFW<\/h3>
Ports are connection interfaces an application uses to establish a connection with a server.<\/p>
Opening unused ports creates security vulnerabilities, as cyber criminals may use them to access your server. It makes closing and opening a port in Linux VPS essential to improve its security.<\/p>
To minimize risks, users can open and close ports with UFW to control which applications are allowed to connect to their computer. Here are the command syntaxes:<\/p>
sudo ufw allow port\/protocol\n\nsudo ufw deny port\/protocol<\/pre>
Replace port <\/strong>with the port number and protocol <\/strong>with <\/strong>TCP or UDP<\/a>. To find out the values for your application, refer to IANA’s list of port number registries<\/a>.<\/p>
Use allow<\/strong> to change the default incoming policy. For instance, run the following command to enable the port for SSH connections:<\/p>
sudo ufw allow 22\/tcp<\/pre>
To change the default policy for outgoing traffic, use the deny <\/strong>option. For example, enter the command below to block the connection from your server to a MySQL database:<\/p>
sudo ufw deny 56\/tcp<\/pre>
You can also open or close port ranges with a single command. Here’s how the basic syntax looks:<\/p>
sudo ufw allow\/deny starting_port:ending_port\/protocol<\/pre>
For instance, here’s the command to deny access from port 300 to 310 UDP:<\/p>
sudo ufw deny 300:310\/UDP<\/pre>
Working With Services on Ubuntu Firewall<\/h3>
UFW lets administrators manage network services on Ubuntu systems by opening and closing ports. Instead of specifying the port, they can enter the service name.<\/p>
For example, HTTP transmissions use port 80, while HTTPS connections require port 443. If you want to enable HTTP connections, run the following command:<\/p>
sudo ufw allow http<\/pre>
The command will automatically open the HTTP port, namely 80. Similarly, enabling HTTPS connections means opening port 443.<\/p>
Denying or Allowing IP Address Connections<\/h3>
UFW also lets users deny access to a specific IP address. To do so, execute the following command:<\/p>
sudo ufw deny from ipaddress<\/pre>
Replace deny <\/strong>with allow<\/strong> if you want to enable access from the specified IP address, like the following:<\/p>
sudo ufw allow from 192.168.1.3<\/pre>
You can also create a rule that applies to a specific network interface. For instance, this rule syntax allows an IP address to connect to a specific port only:<\/p>
sudo ufw allow from ipaddress to any port portnumber<\/pre>
Here’s an example command that allows an IP address to connect to your server only when using port 44:<\/p>
sudo ufw allow from 192.168.1.3 to any port 44<\/pre>
Alternatively, use this command to prevent the IP address from connecting to your server when using the specified port:<\/p>
sudo ufw deny from 192.168.1.3 to any port 44<\/pre>
Deleting Rules on Ubuntu Firewall<\/h3>
To delete firewall rules in Ubuntu, use the delete<\/strong> command. Here’s the syntax:<\/p>
sudo ufw delete rule_number<\/pre>
Since deleting rules requires their number label, list them using this command:<\/p>
sudo ufw status numbered<\/pre>
\n![\"PuTTY](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2023\/08\/PuTTY-SSH-client-showing-a-list-of-UFW-rules.png\/public\")
<\/a><\/figure><\/div>Now, replace the placeholder <\/strong>with the appropriate rule number. For example, here’s a command that will delete rule number four<\/strong>.<\/p>
sudo ufw delete 4<\/pre>
Alternatively, you can reset the firewall configuration to the default rules. To do so, set incoming <\/strong>and outgoing <\/strong>to default<\/strong> using these commands:<\/p>
sudo ufw default deny incoming\n\nsudo ufw default allow outgoing<\/pre>
To delete UFW rules entirely and start over, use the reset <\/strong>command:<\/p>
sudo ufw reset<\/pre>
If you want to learn more commands, browse the UFW manual by running the following:<\/p>
sudo ufw -help<\/pre>
Hostinger’s VPS solutions<\/a> have a built-in firewall management feature accessible via hPanel. It provides a graphical user interface to help users easily configure their firewall rules. Select your VPS and navigate to the Firewall<\/strong> section:<\/p>
\n![\"The](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2016\/09\/hpanel-vps-firewall-sidebar.png\/public\")
<\/a><\/figure><\/div>Then, select the Create firewall configuration<\/strong> button and give your configuration a name:<\/p>
\n![\"The](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2016\/09\/hpanel-vps-firewall-createnew.png\/public\")
<\/a><\/figure><\/div>Lastly, hit Edit<\/strong> and add any preferred firewall rules:<\/p>
\n![\"The](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2016\/09\/hpanel-vps-firewall-edit-highlighted.png\/public\")
<\/a><\/figure><\/div>Alternatively, Hostinger VPS users can ask Kodee AI assistant<\/strong> to manage their server’s firewall. For example, they can create a new firewall rule by simply asking, “Create and activate a new firewall rule on my VPS that allows connection to port 12345 from any IP address.”<\/p>
UFW Best Practices<\/h2>
In this section, we will explain Ubuntu firewall best practices to help you utilize the program effectively to improve your VPS security.<\/p>
Enable UFW Logging<\/strong><\/p>
UFW logging allows system administrators to review all incoming or outgoing packets<\/a> stored in iptables. It provides detailed information about the packets, including their source, destination, and transmission protocol.<\/p>
This feature helps users troubleshoot connection issues and identify potential security threats. However, it is disabled by default. To check its status, use the following command:<\/p>
sudo ufw status verbose<\/pre>
To enable it, run this command:<\/p>
sudo ufw logging on<\/pre>
Use the same command with an off <\/strong>value to disable UFW logging. You can run different commands to view UFW logs, but the easiest way is to use less<\/strong>. Here’s the command:<\/p>
sudo less \/var\/log\/ufw*<\/pre>
The command above assumes the default directory for UFW logs. If you store the firewall logs in another folder, change the file path accordingly.<\/p>
\n\n\n
\nPro Tip<\/h4>\n
In addition to checking the logging feature, use sudo ufw status verbose<\/strong> to list your rules.<\/p>\n <\/div>\n\n\n\n<\/p>
Use UFW With IPv6<\/strong><\/p>
As IPv4 IP addresses run out, IPv6 becomes more important in modern networking. UFW lets you filter IPv6 to improve your VPS security<\/a>, but this feature is disabled by default.<\/p>
To enable it, change the UFW configuration file using a text editor like Nano<\/strong> with this command:<\/p>
sudo nano \/etc\/default\/ufw<\/pre>
\n![\"The](\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2023\/08\/The-IPv6-status-in-UFW-configuration-file.png\/public\")
<\/a><\/figure><\/div>Find IPv6 <\/strong>and change the value from no <\/strong>to yes<\/strong>. Press Ctrl + X <\/strong>to quit Nano and press Y <\/strong>to confirm the changes. To disable it, change the value back to no<\/strong>.<\/p>
Check UFW Compatibility With Docker<\/strong><\/p>
Docker<\/a> may cause conflicts with UFW as it can modify the firewall rules in iptables. UFW won’t prevent an application in the Docker container from connecting to a blocked port, regardless of the rules.<\/p>
Since UFW doesn’t show that the port is open, this incompatibility exposes your server to security risks. There are different ways to match UFW and Docker’s rules, but using the ufw-docker <\/strong>utility<\/a> is the easiest.<\/p>
Open Terminal or your SSH client and follow these steps to install and use the tool:<\/p>
- \n
- Enter these commands to download the script from the repository:<\/li>\n<\/ol>
sudo wget -O \/usr\/local\/bin\/ufw-docker \\ https:\/\/github.com\/chaifeng\/ufw-docker\/raw\/master\/ufw-docker\nsudo chmod +x \/usr\/local\/bin\/ufw-docker\n<\/pre>
- \n
- Install the utility using this command:<\/li>\n<\/ol>
sudo install ufw-docker<\/pre>
- \n
- Restart UFW with the command below:<\/li>\n<\/ol>
sudo systemctl restart ufw<\/pre>
- \n
- Run the ufw-docker <\/strong>command to open a port for a Docker container, like the following:<\/li>\n<\/ol>
sudo ufw-docker allow httpd 80<\/pre>
Set Up UFW Application Profiles<\/strong><\/p>
Several applications require multiple network interfaces, which can be tedious to allow individually. UFW lets you easily set a rule based on the application’s ports with one command:<\/p>
sudo ufw allow app_name<\/pre>
Replace app_name <\/strong>with your application profile. For example, here’s the command to allow incoming SSH connections:<\/p>
sudo ufw allow ssh<\/pre>
You can also allow ports from a source IP address to a specific destination using this command:<\/p>
sudo ufw allow from source_IP to destination_IP app app_name<\/pre>
UFW has pre-configured application profiles by default, which you can obtain using this command:<\/p>
sudo ufw app list<\/pre>
You may also create custom application profiles. To do so, connect to your server via Terminal or an SSH client and follow these steps:<\/p>
- \n
- Run the touch<\/strong> command<\/a> to create an empty file in the UFW application folder:<\/li>\n<\/ol>
sudo touch \/etc\/ufw\/applications.d\/file_name<\/pre>
- \n
- Open the file using Nano<\/strong> with this command:<\/li>\n<\/ol>
sudo nano \/etc\/ufw\/applications.d\/file_name<\/pre>
- \n
- Enter the following snippet to set your application profile. Replace the placeholders with the appropriate values:<\/li>\n<\/ol>
[app_name]\ntitle=application_title\ndescription=application_description\nports=ports\/protocol|ports\/protocol|ports\/protocol<\/pre>
- \n
- Press Ctrl + X <\/strong>to close Nano <\/strong>and Y <\/strong>to confirm the changes.<\/li>\n\n\n\n
- Update the application definitions in UFW using these commands:<\/li>\n<\/ol>
sudo ufw app update appname\nsudo ufw app info appname<\/pre>
You can specify multiple ports with the same protocol using commas in the configuration code. For port ranges, use a colon instead of a dash. See the following example:<\/p>
ports=80,443,8140\/tcp|800:1500\/udp<\/pre>
Follow Other Security Practices Beyond Firewall<\/strong><\/p>
Enabling UFW is one of many important Ubuntu security measures. Since there are a variety of cyber threats, system administrators must fortify firewalls with other security practices.<\/p>
Here are several additional security practices you should implement in your VPS hosting environment:<\/p>
- \n
- Update regularly<\/strong>. Older software packages have vulnerabilities that expose your VPS to cyber threats. To minimize the risk, regularly update your VPS software and enable cron jobs<\/a> to automate the process.<\/li>\n\n\n\n
- Change SSH ports<\/strong>. SSH connections use port 22 by default, which hackers often exploit to access your server. Changing the SSH port<\/a> helps improve your VPS security.<\/li>\n\n\n\n
- Use SSH keys<\/strong>. SSH keys<\/a> are additional security credentials for connecting to your VPS. They are longer and more complex than passwords, making them more secure.<\/li>\n\n\n\n
- Disable root login<\/strong>. A root user can modify any aspect of your system, making them a common target for hacking. To secure your VPS, disable root login and create alternative user roles with superuser privileges.<\/li>\n\n\n\n
- Install IDS\/IPS tool<\/strong>. Intrusion detection and prevention systems let you quickly determine the origin of malicious network traffic, which you can block using UFW. To learn more about how to install the tool, check out our tutorial on setting up Suricata on Ubuntu<\/a>. <\/li>\n<\/ul>
Conclusion<\/h2>
A VPS system is vulnerable to cyber threats when configured improperly. An efficient way to improve your Ubuntu server security is to install Uncomplicated Firewall (UFW) that filters outgoing and incoming connections.<\/p>
UFW is installed by default, but users must manually enable it via Terminal or an SSH client like PuTTY. Once enabled, edit the default policies to filter connections based on ports, IP addresses, or services.<\/p>
In addition, follow the firewall’s best practices to improve your Ubuntu network security. For example, enable logging to track traffic in detail, check UFW compatibility with Docker, set up an applications profile, and fortify the firewall with other security practices like using SSH keys.<\/p>
\n\n\n
\nDiscover More About How to Protect Your Linux<\/h4>\n
How to Configure OpenVPN on VPS<\/a>
\nHow to Configure Fail2Ban on CentOS<\/a>
\nHow to Install ClamAV on CentOS<\/a><\/p>\n <\/div>\n\n\n\n<\/p>Ubuntu Firewall FAQ<\/h2>
In this section, we will answer several commonly asked questions about setting up UFW in Ubuntu.<\/p>
Is UFW Pre-installed in Ubuntu 22.04 and Newer Versions?<\/h3>
Yes, UFW was introduced in Ubuntu 8.04 LTS, and it comes pre-installed in later versions, including 22.04. However, it is disabled on the default settings.
To enable it, enter the sudo ufw enable <\/strong>command. Other UFW features are also disabled by default, such as IPv6 support and logging.<\/p> <\/div>What Are the Basic UFW Commands to Know When Setting up a Firewall on Ubuntu?<\/h3>
UFW has various commands for different purposes. For example, the sudo ufw status <\/strong>command checks whether the firewall is active.
Other important commands include sudo ufw deny <\/strong>and sudo ufw allow<\/strong>, <\/strong>which alter the default settings for incoming and outgoing connections. Enter sudo ufw -help <\/strong>to list all commands.<\/p> <\/div>Are the UFW Commands the Same Across Ubuntu Versions?<\/h3>
UFW commands are mostly the same regardless of the Ubuntu version. However, if you use versions older than 8.04 TLS, you can’t run them.<\/p> <\/div>
What Is the Difference Between UFW and GUFW?<\/h3>
UFW is a command-line version of Ubuntu’s firewall, while GUFW has a graphical user interface. Both work similarly to configure your system’s firewall.
GUFW is easier to use for beginners as it has a visual interface. However, UFW is more convenient for a remote server as it uses SSH.<\/p> <\/div> <\/div>\n","protected":false},"excerpt":{"rendered":"When configured improperly, your Linux virtual private server (VPS) is vulnerable to cyber attacks. Even if your hosting provider installs […]<\/p>\n
- Change SSH ports<\/strong>. SSH connections use port 22 by default, which hackers often exploit to access your server. Changing the SSH port<\/a> helps improve your VPS security.<\/li>\n\n\n\n
- Update the application definitions in UFW using these commands:<\/li>\n<\/ol>
- Press Ctrl + X <\/strong>to close Nano <\/strong>and Y <\/strong>to confirm the changes.<\/li>\n\n\n\n
- Enter the following snippet to set your application profile. Replace the placeholders with the appropriate values:<\/li>\n<\/ol>
- Open the file using Nano<\/strong> with this command:<\/li>\n<\/ol>
- Run the touch<\/strong> command<\/a> to create an empty file in the UFW application folder:<\/li>\n<\/ol>
- Run the ufw-docker <\/strong>command to open a port for a Docker container, like the following:<\/li>\n<\/ol>
- Restart UFW with the command below:<\/li>\n<\/ol>
- Install the utility using this command:<\/li>\n<\/ol>
- Enter these commands to download the script from the repository:<\/li>\n<\/ol>
- To confirm that the installation is successful, use this command to check the firewall status:<\/li>\n<\/ol>
- If you receive a UFW command not found <\/strong>error, it means the firewall isn’t installed on your system. To install it, use the command below:<\/li>\n<\/ol>
- Enter your SSH root password<\/strong>.<\/li>\n<\/ol>
- Traffic filtering<\/strong>. VPS users can set a custom rule to only allow specific connections to reach the server and block the others.<\/li>\n\n\n\n