| Next revision | Previous revision |
| server_configuration:firewall [2021/01/13 17:42] – created david | server_configuration:firewall [2025/04/02 09:28] (current) – [Sample Commands] david |
|---|
| Worth looking at more detailed notes on my [[server_configuration:firewall]] configuration. | ====== Firewall ====== |
| |
| The firewall is already configured by DigitalOcean in my choice of droplet (Ubuntu 20.04 with WordPress). However if other services are to be added (in my case yes) the [[https://ubuntu.com/server/docs/security-firewall|Ubuntu firewall]] needs to be configured. See below for some extra documentation links I referred to: | The firewall is already configured by DigitalOcean in my choice of droplet (Ubuntu 20.04 with WordPress). However if other services are to be added (in my case yes) the [[https://ubuntu.com/server/docs/security-firewall|Ubuntu firewall]] needs to be configured. See below for some extra documentation links I referred to: |
| * Ubuntu Documentation: [[https://ubuntu.com/server/docs/security-firewall|Ubuntu firewall]] | * Ubuntu Documentation: [[https://ubuntu.com/server/docs/security-firewall|Ubuntu firewall]] |
| |
| ==== Configure Apache & WorPress ==== | ===== Sample Commands ===== |
| | View current configuration: |
| | <code bash> |
| | ufw status |
| | </code> |
| |
| In general, follow scripts/prompts when first SSH into droplet. | <code bash> |
| | sudo ufw allow OpenSSH |
| |
| See [[server_configuration:apache]] for all details. By default for one WordPress instance, with no other sites or clever stuff, no other changes need to be made. | sudo ufw allow Postfix |
| | sudo ufw allow Apache Full |
| | </code> |
| | ===== Blocking SSH Testing ===== |
| |
| | Out of interest, I checked the ''auth.log'' and found lots of scanning/testing/brute force attempts. While ''fail2ban'' should manage some of this (and in reality, with bot networks fail2ban is a bit futile here), the only real solution is mandatory key authentication. But I had some interest blocking the IPs from connecting to ''SSH'' anyway and seeing the differences in logs. |
| | |
| | <code bash> |
| | grep 'sshd.*Received disconnect from' auth.log | cut -d ' ' -f 9 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done |
| | grep 'sshd.*Connection closed by.*preauth' auth.log | cut -d ' ' -f 9 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done |
| | grep 'sshd.*Connection closed by invalid user' auth.log | cut -d ' ' -f 12 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done |
| | grep 'sshd.*Unable to negotiate with.*diffie-hellman-group1-sha1' auth.log | cut -d ' ' -f 10 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done |
| | |
| | |
| | vi /etc/ufw/user.rules |
| | ufw status |
| | </code> |