Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Firewall ====== The firewall is already configured by DigitalOcean in my choice of droplet (Ubuntu 20.04 with WordPress). However if other services are to be added (in my case yes) the [[https://ubuntu.com/server/docs/security-firewall|Ubuntu firewall]] needs to be configured. See below for some extra documentation links I referred to: * HowTo Geek: [[https://www.howtogeek.com/115116/how-to-configure-ubuntus-built-in-firewall|How to Configure Ubuntu’s Built-In Firewall]] * Ubuntu Documentation: [[https://ubuntu.com/server/docs/security-firewall|Ubuntu firewall]] ===== Sample Commands ===== View current configuration: <code bash> ufw status </code> <code bash> sudo ufw allow OpenSSH sudo ufw allow Postfix sudo ufw allow Apache Full </code> ===== Blocking SSH Testing ===== Out of interest, I checked the ''auth.log'' and found lots of scanning/testing/brute force attempts. While ''fail2ban'' should manage some of this (and in reality, with bot networks fail2ban is a bit futile here), the only real solution is mandatory key authentication. But I had some interest blocking the IPs from connecting to ''SSH'' anyway and seeing the differences in logs. <code bash> grep 'sshd.*Received disconnect from' auth.log | cut -d ' ' -f 9 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done grep 'sshd.*Connection closed by.*preauth' auth.log | cut -d ' ' -f 9 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done grep 'sshd.*Connection closed by invalid user' auth.log | cut -d ' ' -f 12 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done grep 'sshd.*Unable to negotiate with.*diffie-hellman-group1-sha1' auth.log | cut -d ' ' -f 10 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done vi /etc/ufw/user.rules ufw status </code> server_configuration/firewall.txt Last modified: 2025/04/02 09:28by david