Firewall

The firewall is already configured by DigitalOcean in my choice of droplet (Ubuntu 20.04 with WordPress). However if other services are to be added (in my case yes) the Ubuntu firewall needs to be configured. See below for some extra documentation links I referred to:

• HowTo Geek: How to Configure Ubuntu’s Built-In Firewall
• Ubuntu Documentation: Ubuntu firewall

View current configuration:

ufw status

sudo ufw allow OpenSSH
 
sudo ufw allow Postfix
sudo ufw allow Apache Full

Out of interest, I checked the auth.log and found lots of scanning/testing/brute force attempts. While fail2ban should manage some of this (and in reality, with bot networks fail2ban is a bit futile here), the only real solution is mandatory key authentication. But I had some interest blocking the IPs from connecting to SSH anyway and seeing the differences in logs.

grep 'sshd.*Received disconnect from' auth.log                             | cut -d ' ' -f 9  | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done 
grep 'sshd.*Connection closed by.*preauth' auth.log                        | cut -d ' ' -f 9  | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done 
grep 'sshd.*Connection closed by invalid user' auth.log                    | cut -d ' ' -f 12 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done 
grep 'sshd.*Unable to negotiate with.*diffie-hellman-group1-sha1' auth.log | cut -d ' ' -f 10 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done
 
 
vi /etc/ufw/user.rules
ufw status