Installing and Configuring ufw Firewall in Ubuntu 8.10
One of the first things you should do after bootstrapping a new Webby is tighten its security. Many hacking attempts are successful because users choose weak passwords and leave common ports open and listening.
In this guide we’ll walk you through how to install and configure an easy-to-use firewall package called ufw (Uncomplicated Firewall) that is available through apt-get.
Requirements
This guide was written using Ubuntu 8.10 but should work without changes for Ubuntu 8.04 and 9.04.
Installation
To install ufw you just have to use apt-get, it’s that simple:
$ apt-get update $ apt-get install ufw
Note: If you’re not logged in as the root user you’ll need to use sudo apt-get install ufw.
Configuration
Configuring ufw is almost as simple as installing it. It’s a very intuitive tool.
Ufw comes disabled by default, so the first thing you want to do is enable it and answer y to the prompt:
$ ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup
Alright, now it’s enabled and will be executed upon server startup as well. This way, even if you reboot your Webby, ufw will continue to run.
Denying connections by default
When installed, ufw acts very unobtrusively: it won’t close access to any ports. However, in order to really secure our system, we should take the inverse approach. This approach is deny any connections, except the ones we explicitly find we need.
Before changing the default ufw operation mode, let’s make sure we allow connections to the ssh port we’re connected to:
$ ufw allow 22 Rule added
You can now check that this rule was properly added:
$ ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere
Now that ssh is good to go, let’s shut everything else down:
$ ufw default deny Default policy changed to 'deny' (be sure to update your rules accordingly)
Now you have to start allowing all the ports you plan on using on this Webby. For instance, if you are serving html pages from Apache or running a Rails application, you should open port 80:
$ ufw allow 80 Rule added
In case you’re in doubt about which port a service uses by default, you can check this link in Wikipedia.
Fine grained security
If you want to be even more secure, here’s another tip to improve security.
Let’s say you’re running a MySQL Database Server on your Webby and your app has grown and you want to have another Webby to server Web requests. In order to allow the other Webby to connect to the MySQL Server that is running locally, you could simply allow 3306 (MySQL default listening port), or you could only allow the other Webby to connect.
This is very simple as well. Let’s say webby_mysql is (obviously) where MySQL is and the new Webby goes by the name of webby_appserver and has an internal IP of 172.16.0.94. All you have to do is find webby_appserver’s IP (preferably the internal one) and add it to the allowed list of IPs for port 3306.
Here’s how we achieve it:
$ ufw allow from 172.16.0.94 to any port 3306 Rule added
And you can double check it:
$ ufw status Status: active To Action From -- ------ ---- 22 ALLOW Anywhere 3306 ALLOW 172.16.0.94
Further reference
You can do a lot more with ufw: things like allowing an IP range, allowing only tcp or only udp connections, etc.
For further reference, you can visit:
- Ubuntu Firewall article on Ubuntu Official Documentation;
- Uncomplicated Firewall on Ubuntu Wiki;