Sign in Subscribe
By Dev in Cybersecurity

Firewall Basics

Objective

Make a blog server more secure using a firewall.

Background

For a server that hosts a blog, the only traffic it should ever allow is the HTTP or HTTP port - ports 80 and 443. In this nugget, we will configure the ufw (uncomplicated) firewall available on Ubuntu to allow only HTTP/HTTPS/ssh traffic only.

Prerequisites

An Ubuntu based blog server. For this exercise it is a VM in DigitalOcean running the popular Ghost server on Ubuntu. Ghost uses the nginx web server.

Steps

Check status

sudo ufw status

If the output is inactive... its time to activate it.

sudo ufw enable

The status command again, and ufw should be active now.

Allow both HTTP and HTTPs connections.

sudo ufw allow 'Nginx Full'

Check which ports are enabled

sudo ufw status verbose

Output:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere                  
80,443/tcp (Nginx Full)    ALLOW IN    Anywhere                  
22 (v6)                    ALLOW IN    Anywhere (v6)             
80,443/tcp (Nginx Full (v6)) ALLOW IN    Anywhere (v6)

Just these few simple commands makes your Ghost blog server so much secure than before. Anyone trying to connect on any other port will be denied - silently, or explicitly.

Test

It's now time to test it out. Try to visit the home page of the blog. It should work. Now remove the rule to allow HTTP and HTTPs traffic.

sudo ufw deny 'Nginx Full'

You should now seen an error when you navigate to the blog.

Your firewall is working and you can verify by running the status command again with the verbose option. Enable the HTTP and HTTPs back.

nmap is popular tool to check if a port is open or not.

nmap -p 443 159.65.158.199

Yes, 443 is open.

Nmap scan report for 159.65.158.199
Host is up (0.013s latency).

PORT    STATE SERVICE
443/tcp open  https
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Try checking another port, say port 389.

Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-17 21:36 IST
Nmap scan report for 159.65.158.199
Host is up (0.027s latency).

PORT    STATE    SERVICE
389/tcp filtered ldap

filtered means that the port was not reachable. Maybe there is a server listening on the port, or maybe there isn't. An attacker just won't know.

Simply running nmap with the IP will have nmap (nmap <ip>) scan the first 1000 ports to see what's open.

Nmap scan report for 159.65.158.199
Host is up (0.0076s latency).
Not shown: 997 filtered tcp ports (no-response)

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

This server has only these three ports open.

Dig deeper

The uncomplicated firewall uses underlying iptables as the actual firewall. Find out more about it, and how it works.

Previous

Comparing GPT-4 and Ollama-3

 Next

What is Wazuh

You might also like...