How to quickly become firewall expert with UFW !

Uncomplicated Firewall (UFW) is a helper tool which allows you to quickly setup iptables firewall in any Ubuntu server. It is installed by default and it allows you to secure your server at no time!

Basic UFW

Basic UFW: Check Status
You can check UFW by running this command. The verbose argument prints additional information such as UFW profiles, logging settings.

The ‘numbered’ argument prints the list of rules with line number. I’ll explain later on the use of this feature.

sudo ufw status
sudo ufw status verbose
sudo ufw status  numbered

Basic UFW: Enable and Disable Firewall
You can easily enable and disable firewall by specifying ‘disable’ and ‘enable’ argument.

Warning : Please do not enable UFW if you’re connecting using SSH connection to your Ubuntu box, you might be disconnected.

sudo ufw disable
sudo ufw enable

Basic UFW: Setting up default rule and Enabling SSH
A lot of you might be connecting to Ubuntu box using SSH connections, so the first step is to setup a default rule and enabling SSH connection.

Deny incoming connection

sudo ufw default deny incoming

Allow incoming SSH connection

sudo ufw allow ssh

Alternatively you can write:

sudo ufw allow 22/tcp

Finally, enable firewall

sudo ufw enable

You can check the firewall rules by running

sudo ufw status

Basic UFW: Enabling other service: HTTP, HTTPS

Enabling web server port and https is as easy as running

sudo ufw allow http
sudo ufw allow https

Basic UFW: Deleting rule
You can delete UFW rule by running

sudo ufw delete allow https

or by specifying its port and protocol

sudo ufw delete allow 443/tcp

Additionally you could also delete rule using its number by running “ufw status numbered” first

sudo ufw status numbered
ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         ALLOW IN    Anywhere
[ 2] 22/tcp                     ALLOW IN    Anywhere
[ 3] 443                        ALLOW IN    Anywhere
[ 4] 22 (v6)                    ALLOW IN    Anywhere (v6)
[ 5] 22/tcp (v6)                ALLOW IN    Anywhere (v6)
[ 6] 443 (v6)                   ALLOW IN    Anywhere (v6)

Then pick a firewall rule based on its number to delete, I picked number 3 and 6, because I want to delete https rule

sudo ufw delete 3
sudo ufw delete 6

UFW will print a confirmation prompt and you can continue deleting the firewall rules

/home/mypapit# ufw delete 6
 allow 443
Proceed with operation (y|n)? y   
Rule deleted (v6)

/home/mypapit# ufw delete 3
 allow 443
Proceed with operation (y|n)? y
Rule deleted

Intermediate UFW

Intermediate UFW: Deny access from ip address or ip block
You can prevent certain ip address or ip blocks / subnets from reaching your server by running:

sudo ufw deny from

Deny an ip address subnet

sudo ufw deny from

Deny an ip address subnet, example #2

sudo ufw deny from

Intermediate UFW: Allow services to be connected from certain ip address or subnet
In this case, I will only allow certain ip address to connect to my SSH port.

First we delete the old – “allow all” SSH rule

sudo ufw disable
sudo ufw delete allow ssh

Then we add ip address to be allowed to connect to SSH port

sudo ufw allow from to any port ssh

Alternatively, you could also specify port number and protocol

sudo ufw allow from to any port 22 proto tcp

Only allow SSH connections from certain subnets

sudo ufw allow from to any port 22 proto tcp

Note: Adding firewall rules to only allow SSH connection from certain subnets would increase the server security, further reducing brute-force attack.

Further Reading: Ubuntu Server Administrator Reference

How to secure server from SYN-flood attack using iptables

SYN-flood attack is commonly utilized as a mean to disrupt network communication and it is a form of (Distributed Denial-of-Service) DDOS attack. RFC4987 details common mitigation to deal with SYN-flood attack.

However in this post, I’m going to share you the method that I use to reduce the risk of SYN-flood attack from my department computers, with iptables
/sbin/iptables -N syn-flood
/sbin/iptables -A syn-flood -m limit –limit 100/second –limit-burst 100 -j RETURN
/sbin/iptables -A syn-flood -j LOG –log-prefix "SYN-flood attempt: "
/sbin/iptables -A syn-flood -j DROP

RFC4987 suggests the use of SYN-cookie for added protection. You can enable SYN-cookie protection in Linux by running this command (as root):
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

hope that helps…

Note: I’m not a full-time sysadmin as I’ve a different dayjob, but I was put incharged in securing part of my school’s computer network, so there.

Limiting the number of connections to SSH Server using Iptables

This is the quickest way to limit the number of connection to your SSH server with iptables.

sudo /sbin/iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 5 -j REJECT

This will only allow up to 5 concurrent connections to the SSH server, subsequent connections will be rejected by iptables, thus this can thwarts Brute-force attempts to your server.

More Articles About Securing SSH Server

How to Secure SSH server from Brute-Force and DDOS with Fail2ban ( Ubuntu )

Fail2ban is a security tool used for preventing brute-force attack and Distributed Denial of Service (DDoS) attack to your GNU/Linux box.

Fail2ban monitors failed login attempts and subsequently blocks the ip address from further logins. Although Fail2ban can also be used to secure other services in Ubuntu server, in this post, I will only focus on securing SSH server.

Step 1: Install Fail2ban and (optionally) sendmail

sudo apt-get install fail2ban
sudo apt-get install sendmail-bin

Step 2: Setting up Fail2ban

Next, you need to configure fail2ban by creating a copy of ‘jail.conf’ to ‘jail.local’

cd /etc/fail2ban
sudo cp jail.conf jail.local

Step 3: General fail2ban configuration

Edit fail2ban configuration file using your favorite text-edito (I personally use ‘nano’)

sudo nano /etc/jail.local

You can set IP address for fail2ban to ignore, IP addresses can be separated by space.

Bantime is the duration of time that you want fail2ban to block suspicious attempt, the value is in seconds
Maxretry is the number of failed attempts before fail2ban block the IP-address, in this case 3600 means 1-hour ban

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip =
bantime  = 3600
maxretry = 3 

Step 4: Enabling ssh and ssh-ddos protection
Find ssh configuration under [ssh] heading, and enable it.

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3 

Similarly, you can also enable [ssh-dos] protection by changing the enabled value to “enabled = true

enabled = true
port    = ssh
filter  = sshd-ddos
logpath  = /var/log/auth.log
maxretry = 2

Step 5: Enable Sending Notification Email (optional)
Optionally you can have fail2ban sends you notification email in case of suspicious login detected. To do that, you need to locate destemail settings and changed it to your email

destemail =

Fail2ban can use ‘sendmail’ and ‘mail’ application to send notification email

Step 6: (Re-)start Fail2ban
After all is done, you may save the file, and (re)start the fail2ban service

sudo /etc/init.d/fail2ban restart

You can test the configuration by trying to login into your box. You may also check fail2ban log in /var/logs/auth.log (or in other directory specified in jail.local)

For more information about fail2ban, you can read : the official fail2ban manual

Recommended Reading

How to limit MySQL port access to specific network

MySQL service port are not meant to be accessible to the outside world as it would become a security concern to the administrator.

Although MySQL server (mysqld) by itself has a built-in mechanism to deny access from unauthorized ip-address, it still does not protect it from being overwhelmed by multiple malicious requests or buffer overflow attack directed to the server.

One of the solution is to limit the MySQL port access to trusted network using iptables

This assume your trusted network has the address within the range of

iptables -A INPUT -i eth0 -p tcp -s --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

MySQL server (mysqld) uses port 3306.

Note: Always assume the internet as the untrusted network!