How to Install & Configure UFW Firewall to Secure Web Server

· >

UFW is uncomplicated firewall & is frontend of more complex iptables. Using UFW you can simply write up rules to allow or deny traffic to specific ports or traffic from specific IP Address / Subnets. You can also use rate limit features for allowing certain amount of connection per time duration defined. In this lesson, we will learn to install & configure ufw firewall.

UFW Installation

If you are using ubuntu this firewall comes with it by default. You can check its status by

$sudo ufw status

it may be installed but “inactive”, if is is not installed you can do so by

$sudo apt install ufw

on any other distribution use that Distro package manager for installation. Now that UFW is installed but it is in inactive state so writing rules shall not affect your SSH connectivity.

Setting UP Defaults for UFW

A good point to start is to train our firewall to deny all packet destined for our server & allow all packets originated from our server. Let’s do this togather.

$sudo ufw default deny incoming

$sudo ufw default allow outgoing

Now that default rules are set, we can now start allowing other ports on top of it.

Allow Ports for Webserver & SSH

Now if your are hosting your website on your server, you need to allow web traffic / secure web traffic & also you need to SSH to your server for management purposes. So to configure firewall for this purpose execute below mentioned steps.

$sudo ufw allow ssh
$sudo ufw allow http
$sudo ufw allow https
$sudo ufw allow 5060

Note that it will allow access only to port 22, if you are using ssh on non-standard port you will have to allow that port through firewall.

Now if you want to allow SSH connection only your home / work locations. you can do so by whitelisting your public IP adrress to SSH port like so.

$sudo ufw allow proto tcp from your_public_ip to any port 22

Note: you should only follow above scenario if you using static public IP address on your home / office locations. Otherwise as DHCP address provided by your service provider leases out, you will no longer have SSH access to your web server.

Rate Limiting SSH

UFW provides another great feature to rate limit your SSH connections to protect against brute force attacks on your server’s SSH Port. UFW by default limits only 6 connections in 30 seconds. to enable this feature:

$ssh ufw limit ssh

Recommended Reading

Enable & Start UFW Service

Now that you have configure your firewall, but it is still in disabled / inactive state. Now it is time to enable it & start the service. Also enable its logging to monitor

$sudo systemctl enable ufw
$sudo ufw enable
$sudo ufw logging on

You can view its connection logs in /var/log.

Maintaining UFW Firewall

Now that UFW firewall is up & running, you need to maintain it by looking at firewall rules. Any unwanted rule which you are not using should be deleted. For Example, we allowed port 5060, which is not required for web server, we can proceed to delete it. As rules are stored in numbers we need to mentioned its number in order to delete it.

$sudo ufw status numbered#displays rules in numbers
$sudo ufw delete 3#deletes rule number 3

That’s all for now, in this post we learnt to install & configure ufw firewall.Hope this is been informative for you & i would like to thank you for viewing.

Notify of
Inline Feedbacks
View all comments