Ubuntu – setting up ufw for a website, I want to to disallow everything except ssh, e-mail, and http

firewallUbuntuufw

I have read the basic instructions here:

https://help.ubuntu.com/community/UFW

I want to sudo ufw default deny and then

sudo ufw allow ssh
sudo ufw allow smtp
sudo ufw allow www
sudo ufw allow https
sudo ufw allow imaps

to allow the services I need, am I missing anything ? I assume allowing ssh will also allow scp ? (heck I will allow sftp as well anyway).

However my problem is I am connecting remotely, so the only way I can do what I want is to actually do a sudo ufw default allow then use a list of the services provided by less /etc/services and deny each service individually?

This seems a pain as if I turn on the firewall with default deny it will boot me out of my ssh connection?

(also posted on askubuntu, not sure which is the best place)

Best Answer

Yeah, SCP/SFTP are via the SSH protocol, so your rules will cover them.

Use default deny - you don't want to default to allowing any services that come up later.

UFW defaults to disabled, so configure it with default deny then all of your allow rules for services before running ufw enable. It'll warn you about burning your SSH session when you do this, but if you've configured your SSH rule, there will be no issue and your current session won't even drop.

One other suggestion: use limit instead of allow for the SSH rule - it's a simple way to cut down on the viability of brute-force authentication against the service by blocking overly frequent connections.

Related Solutions

Ubuntu – Setting umask for www-data user (run via sudo) on Ubuntu 10.04 LTS

Have you tried setting it via /etc/sudoers itself? As per sudoers(5):

   umask_override  If set, sudo will set the umask as specified by sudoers
                   without modification.  This makes it possible to
                   specify a more permissive umask in sudoers than the
                   user's own umask and matches historical behavior.  If
                   umask_override is not set, sudo will set the umask to
                   be the union of the user's umask and what is specified
                   in sudoers.  This flag is off by default.

Ubuntu – UFW Firewall Rules ordering

If you're interested in reordering your UFW rules, this is one way to do it.

$ sudo ufw status numbered

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere
[ 2] 80                         ALLOW IN    Anywhere
[ 3] 443                        ALLOW IN    Anywhere
[ 4] 22 (v6)                    ALLOW IN    Anywhere (v6)
[ 5] 80 (v6)                    ALLOW IN    Anywhere (v6)
[ 6] 443 (v6)                   ALLOW IN    Anywhere (v6)
[ 7] Anywhere                   DENY IN     [ip-to-block]

Say you accidentally added a rule to the end, but you wanted up top.

First you will have remove it from the bottom (7) and add it back.

$ sudo ufw delete 7

Note, be careful of removing multiple rules one after another, their position can change!

Add back your rule to the very top (1):

$ sudo ufw insert 1 deny from [ip-to-block] to any

Best Answer

Related Solutions

Ubuntu – Setting umask for www-data user (run via sudo) on Ubuntu 10.04 LTS

Ubuntu – UFW Firewall Rules ordering

Related Topic