Skip to content

Firewall setup⚓︎

How to setup the UFW Ubuntu Firewall Configure after installing your application?

Ufw (uncomplicated firewall)⚓︎

list of ports

sudo ufw status
You should see this message, if you have it installed. We will activate it later on in the process.
Status: inactive
if it's not installed, use the following to install it
apt install ufw

check ports in use⚓︎

if it's not installed, use the following to install it
sudo ss -tunlp

-t TCP ports

-u UDP ports

-n numerical addresses instead of hosts

-l listening ports

-p PID and name of listener's process

source: check listening ports

setup your firewall⚓︎

sudo ufw default deny incoming
message from terminal
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
let your server access the internet
sudo ufw default allow outgoing
message from terminal
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)
allow your custom port to log in to your server
sudo ufw allow 2140
allow http
sudo ufw allow http/tcp
allow port for ssl certificate
sudo ufw allow 443
allow port for database, or choose your own
sudo ufw allow 5432
allow port for ditto, or choose your own
sudo ufw allow 4036

enable ufw⚓︎

So far, the ufw has been disabled. As long as the port you use to access the server is allowed, you should be ok to log back in.

However, you can test if you can log in by opening a separate terminal window, without closing the one you are in.

Once you are sure of your settings: 

sudo ufw enable
message from terminal
Command may disrupt existing ssh connections. Proceed with operation (y|n)

y
message from terminal
Firewall is active and enabled on system startup
check if it's running
systemctl status ufw

it should be green and active
 ufw.service - Uncomplicated firewall
     Loaded: loaded (/.../ufw.service; enabled; vendor preset: e>
     Active: active 
     ...
Close with Ctrl + C

deeper dive on configuring firewall rules with UFW

configured ports list⚓︎

this command will list the ports you have configured

sudo ufw status

Update⚓︎

When you log in, remember to update your server's software. 

sudo apt update
message from terminal
Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease [128 kB]
...
All packages are up to date.

If the message above mentions that packages could be upgraded, run the command below.

sudo apt upgrade
message terminal gives
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
...
Do you want to continue? [Y/n]

Y

You should see a progress bar at the bottom.

If you get a message to restart services in order to update Kernel. Hit enter. It will list which ones need to be restarted. Hit enter again.

It will display a list of items and say that nothing needs to be restarted, nor is anything outdated.

Next: Install Ditto.

System restart required⚓︎

When you login, aside from updates your server may request a restart.

reboot now

log in, again

Restart from scratch⚓︎

Learning about tech means learning to make mistakes and trying again.

If you reinstall your server to try this process again from scratch, on the same server IP, you will get a scary warning like this one:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
Don't worry, you can fix it by removing your old key from the known_hosts file an making a copy of it in a separate folder, just in case.

from your terminal

ssh-keygen -R 111.111.11.11
message from terminal
# Host 111.111.11.11 found: 
/route/ updated
Original contents retained as /route-for-old-keys

If you still cannot log in after that. The error message will give you a directory path at the bottom. The last numbers after the colon indicate the line you need to find and delete.

/thedirectory/path/it/gives/you/known_hosts:21

get to the right directory (leave out the known_hosts file name, the colon, and the line number)
cd /thedirectory/path/it/gives/you
list the files in the directory
ls

open the known_hosts file, it will ask for your computer password
sudo nano known_hosts
It will open up a new window. You can delete the "offending" line. It will start with the server's IP.

Ctrl + O to save

Ctrl + X to exit the window

go back to your home folder and log in again
cd ..

sources:

How to Fix Warning Remote Host Identification Has Changed

Removing an SSH Public Key for user