One of the important things on any server is to prevent unnecessary access as much as possible. On ubuntu ufw, or uncomplicated Firewall, should already be installed by default. ufw is easy and takes away the more complicated tasks of using things like iptables.
If for some reason ufw is not installed or removed you can install it with the following command.
$ sudo apt install ufwIt is however usually not active when you installed a new server. You can always check the status of ufw if needed. Just execute the ufw status command.
$ sudo ufw status verbose
Status: inactiveBefore you enable it is a good idea to allow ssh access, to prevent you are locked out if you are connecting to your Ubuntu server using ssh.
The ufw configuration file is located at /etc/default and is called; ufw. Open the file and have look.
$ sudo vi /etc/default/ufw
The default setup of ufw will not allow any incoming traffic (DEFAULT_INPUT_POLICY=”DROP”) and allow all outgoing traffic (DEFAULT_OUTPUT_POLICY=”ACCEPT”), which would be a good setup when running Ubuntu Desktop. But not very logical when running a server with Grafana, node-red or InfluxDB, in that case you do want to allow incoming traffic, to allow access to node-red or Grafana. Lets first allow incoming ssh connections, run the following command.
$ sudo ufw allow ssh
Rules updated
Rules updated (v6)
OR
$ sudo ufw allow 22
Rules updated
Rules updated (v6)Both options will work and allows ssh access to your server. The only difference is that the first command checks the /etc/services file to figure out which port ssh is using on your Ubuntu server.
Now we are ready to enable ufw. There will be a warning that existing ssh connections will be disrupted. Which is oke, as we have allowed ssh access.
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startupAnd if you check the status you notice that the ssh rules are now added. You also notice that ssh is allowed from Anywhere. Meaning any system which is able to get to the server IP-address will be able to access the ssh prompt.
Allow other connections
When I try to connect to Grafana or node-red running on my Ubuntu server the connection times out, as the firewall blocks the connection.
To allow access run the following command to allow access to Grafana. As Grafana is also protected by user/password I allow access from Anywhere. After adding the rule check the status again. If you provide the [numbered] argument you will notice that the rules are now numbered. This will be useful if you need to remove rules.
$ sudo ufw allow 3000
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 22 ALLOW IN Anywhere
[ 3] 3000 ALLOW IN Anywhere
[ 4] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 5] 22 (v6) ALLOW IN Anywhere (v6)
[ 6] 3000 (v6) ALLOW IN Anywhere (v6) Now push the “Try Again” button in your browser to try to connect to Grafana. And if all went well you should be presented with the Grafana login screen.
Limit access based on source address
I also want to allow access to the node-red configuration web-page. However I have not setup any user/password protection, to provide some extra protection to node-red I will limit the systems which are allowed to connect to it. So I need to allow access to port 1880, but want to limit the access to my Laptop which will has IP-address: 192.168.2.10
$ sudo ufw allow from 192.168.2.10 to any port 1880
Rule added
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 22 ALLOW IN Anywhere
[ 3] 3000 ALLOW IN Anywhere
[ 4] 1880 ALLOW IN 192.168.2.10
[ 5] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] 22 (v6) ALLOW IN Anywhere (v6)
[ 7] 3000 (v6) ALLOW IN Anywhere (v6) I also want to add a rule for http access to the InfluxDB (port 8086), but only from within my private sub-net.
$ sudo ufw allow from 192.168.2.0/24 to any port 8086
Rule added
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 22 ALLOW IN Anywhere
[ 3] 3000 ALLOW IN Anywhere
[ 4] 1880 ALLOW IN 192.168.2.10
[ 5] 8086 ALLOW IN 192.168.2.0/24
[ 6] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 7] 22 (v6) ALLOW IN Anywhere (v6)
[ 8] 3000 (v6) ALLOW IN Anywhere (v6) Deleting firewall rules
There are 2 ways to remove firewall rules, by using the real rule or by using the rule number. First lets remove the allow Grafana rules by using the real rule.
$ sudo ufw delete allow 3000
Rule deleted
Rule deleted (v6)
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 22 ALLOW IN Anywhere
[ 3] 1880 ALLOW IN 192.168.2.10
[ 4] 8086 ALLOW IN 192.168.2.0/24
[ 5] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] 22 (v6) ALLOW IN Anywhere (v6) Using the second option is more simple, you need to check the rule number and execute the delete command as follows to remove rule number 3.
$ sudo ufw delete 3
Deleting:
allow from 192.168.2.10 to any port 1880
Proceed with operation (y|n)? y
Rule deleteddisable & ENABLE ufw
If you do not want to use UFW anymore you can just disable it. This will leave all the rules as created but no longer being enforced until you enable ufw again. And the final option, reset everything back to the default state you can execute the reset command. This will remove eveything configured and you can start from zero.
$ sudo ufw disable
$ sudo ufw enable
$ sudo ufw resetThere are much more options available but what I have explained is enough to get your firewall up and running and your system is a bit more secure.
An Infrastructure Journey 