Server Hardening using UFW & other mods

UFW or UncomplicatedFirewall is a very simple and as the name suggests a firewall manager. It's great in restricting and allowing traffice. I used this to block certain ports and open other.

It's straightforward. You just use the syntax allow and deny like so

[email protected]:~$ sudo ufw default deny incoming  
[email protected]:~$ sudo ufw default allow outgoing  

This would deny all outgoing requests and allow all outgoing requests. This will leave room for micromanagement, example below:

[email protected]:~$ sudo ufw allow 5000  
Rule updated  
Rule updated (v6)  

Which opens up ports 5000 both on IPV4 and IPV6. This can be verified by looking at the status.

[email protected]:~$ sudo ufw status

To                         Action      From  
--                         ------      ----
8943                       ALLOW       Anywhere  
80                         ALLOW       Anywhere  
443                        ALLOW       Anywhere  
5665                       ALLOW       Anywhere  
5000                       ALLOW       Anywhere  
8080                       ALLOW       Anywhere  
8000                       DENY        Anywhere  
8943 (v6)                  ALLOW       Anywhere (v6)  
80 (v6)                    ALLOW       Anywhere (v6)  
443 (v6)                   ALLOW       Anywhere (v6)  
5665 (v6)                  ALLOW       Anywhere (v6)  
5000 (v6)                  ALLOW       Anywhere (v6)  
8080 (v6)                  ALLOW       Anywhere (v6)  
8000 (v6)                  DENY        Anywhere (v6)  

Easy.

The other thing I like to do is make sure that I don't give root on SSH by default and I don't allow SSH on 22. Instead I make it like 8943. This can be done using sshd_config. It can be located at /etc/ssh/sshd_config. Now, you gotta tweak a few lines
Change port first.

# What ports, IPs and protocols we listen for
Port 22  

to

# What ports, IPs and protocols we listen for
Port 8993  

and change

# Authentication:
LoginGraceTime 120  
PermitRootLogin yes  

to

# Authentication:
LoginGraceTime 120  
PermitRootLogin no  

That's it. It'll stop you from getting root over ssh and port's changed to 8993 instead of 22. All you need to do is restart the sshd process. Also, enable the firewall :)

[email protected]:~$ sudo service sshd restart  
[email protected]:~$ sudo ufw enable  

Done.