Configuring the Linux Firewall with UFW
Uncomplicated Firewall (UFW) is a convenient command-line tool for handling Debian-based Linux firewall policies.
The following procedure will set up UFW to block unauthorized remote access to any unsecured ports on the server. And if remote attackers do manage to break in through some authorized incoming ports, the outgoing restrictions will prevent unauthorized massive data exfiltration, stopping intruders dead in their tracks. A similar technique can be applied on the FreeBSD operating system using IPFW.
==========
1. STRICT CONFIGURATION
1.1. Update the package list and upgrade the existing packages.
user@host: $ sudo apt-get update && sudo apt-get dist-upgrade -y
1.2. Install UFW.
user@host: $ sudo apt-get install ufw
1.3. Check the firewall settings. The firewall is usually disabled by default.
user@host: $ sudo ufw status verbose
user@host: $ sudo ufw delete allow in 443/tcp
2.3. Open the port for outgoing DNS to allow the server to access domain names if some tasks require such services.
user@host: $ sudo ufw allow out 53/udp comment "Outgoing DNS"
2.4. Close the port for outgoing DNS. If domain name services are not required, closing the port will prevent unauthorized users from utilizing it.
user@host: $ sudo ufw delete allow out to 192.168.3.210 port 22 proto tcp
user@host: $ sudo ufw allow out to 192.168.0.0/16 comment "Trusted Class B network"
2.13. Close all ports for outgoing connections to a single class B network with subnet mask 255.255.0.0. If no longer needed, removing the policy will prevent unauthorized users from utilizing outgoing ports to access other machines on the Class B network.
user@host: $ sudo ufw delete allow out to 192.168.0.0/16
1.2. Install UFW.
user@host: $ sudo apt-get install ufw
1.3. Check the firewall settings. The firewall is usually disabled by default.
user@host: $ sudo ufw status verbose
1.4. Open the port for incoming SSH. This ensures that administrators will not be locked out of the server when the firewall is enabled.
user@host: $ sudo ufw allow in 22/tcp comment "SSH server"
1.5. Block all other incoming connections for now. Authorized ports can be opened and closed as needed later on.
user@host: $ sudo ufw default deny incoming
1.6. Block all outgoing connections. This prevents intruders from communicating with the outside world using server tools.
user@host: $ sudo ufw default deny outgoing
1.7. Enable the firewall.
user@host: $ sudo ufw enable
1.8. Check the firewall settings again. The firewall should now show as "active" and the policies shall be enumerated as specified in the previous steps.
user@host: $ sudo ufw allow in 22/tcp comment "SSH server"
1.5. Block all other incoming connections for now. Authorized ports can be opened and closed as needed later on.
user@host: $ sudo ufw default deny incoming
1.6. Block all outgoing connections. This prevents intruders from communicating with the outside world using server tools.
user@host: $ sudo ufw default deny outgoing
1.7. Enable the firewall.
user@host: $ sudo ufw enable
1.8. Check the firewall settings again. The firewall should now show as "active" and the policies shall be enumerated as specified in the previous steps.
user@host: $ sudo ufw status verbose
1.9. [ONLY IF NECESSARY] Disable the firewall. If for some reason the settings do not reflect the expected policies, disabling the firewall prevents administrators from getting locked out of the server while repeating the configuration process.
user@host: $ sudo ufw disable
1.9. [ONLY IF NECESSARY] Disable the firewall. If for some reason the settings do not reflect the expected policies, disabling the firewall prevents administrators from getting locked out of the server while repeating the configuration process.
user@host: $ sudo ufw disable
2. POLICY MANAGEMENT
Once the firewall is up, incoming and outgoing ports can be easily opened and closed by authorized users as needed.
2.1. Open the port for incoming HTTPS to allow remote users to connect to the secure web service.
user@host: $ sudo ufw allow in 443/tcp comment "HTTPS server"
2.2. Close the port for incoming HTTPS. If the web server is experiencing intrusion attacks, closing the port will prevent unauthorized entry until the vulnerabilities are patched.
Once the firewall is up, incoming and outgoing ports can be easily opened and closed by authorized users as needed.
2.1. Open the port for incoming HTTPS to allow remote users to connect to the secure web service.
user@host: $ sudo ufw allow in 443/tcp comment "HTTPS server"
2.2. Close the port for incoming HTTPS. If the web server is experiencing intrusion attacks, closing the port will prevent unauthorized entry until the vulnerabilities are patched.
user@host: $ sudo ufw delete allow in 443/tcp
2.3. Open the port for outgoing DNS to allow the server to access domain names if some tasks require such services.
user@host: $ sudo ufw allow out 53/udp comment "Outgoing DNS"
2.4. Close the port for outgoing DNS. If domain name services are not required, closing the port will prevent unauthorized users from utilizing it.
user@host: $ sudo ufw delete allow out 53/udp
2.5. Open all ports for incoming connections from a trusted remote host.
user@host: $ sudo ufw allow in from 192.168.3.210 comment "Trusted host"
2.6. Close all ports for incoming connections from a remote host if it is no longer trusted.
user@host: $ sudo ufw delete allow in from 192.168.3.210
2.7. Open the port for outgoing SSH to a remote host.
2.5. Open all ports for incoming connections from a trusted remote host.
user@host: $ sudo ufw allow in from 192.168.3.210 comment "Trusted host"
2.6. Close all ports for incoming connections from a remote host if it is no longer trusted.
user@host: $ sudo ufw delete allow in from 192.168.3.210
2.7. Open the port for outgoing SSH to a remote host.
user@host: $ sudo ufw allow out to 192.168.3.210 port 22 proto tcp comment "SSH to remote host"
2.8. Close the port for outgoing SSH to a remote host.
2.8. Close the port for outgoing SSH to a remote host.
user@host: $ sudo ufw delete allow out to 192.168.3.210 port 22 proto tcp
2.9. Open UDP port 5353 for outgoing Multicast DNS (mDNS) to link-local addresses IPv4 224.0.0.251 and IPv6 ff02::fb.
user@host: $ sudo ufw allow out to 224.0.0.251 port 5353 proto udp comment "Outgoing mDNS IPv4"
user@host: $ sudo ufw allow out to ff02::fb port 5353 proto udp comment "Outgoing mDNS IPv6"
2.10. Open all ports for incoming connections from a trusted single Class B network with subnet mask 255.255.0.0 (256 Class C networks * 256 Class D hosts = 65,536 IP addresses).
user@host: $ sudo ufw allow in from 192.168.0.0/16 comment "Trusted Class B network"
2.11. Close all ports for incoming connections from a single Class B network with subnet mask 255.255.0.0 if it is no longer trusted.
user@host: $ sudo ufw delete allow in from 192.168.0.0/16
user@host: $ sudo ufw allow out to ff02::fb port 5353 proto udp comment "Outgoing mDNS IPv6"
2.10. Open all ports for incoming connections from a trusted single Class B network with subnet mask 255.255.0.0 (256 Class C networks * 256 Class D hosts = 65,536 IP addresses).
user@host: $ sudo ufw allow in from 192.168.0.0/16 comment "Trusted Class B network"
2.11. Close all ports for incoming connections from a single Class B network with subnet mask 255.255.0.0 if it is no longer trusted.
user@host: $ sudo ufw delete allow in from 192.168.0.0/16
2.12. Open all ports for outgoing connections to a trusted single class B network with subnet mask 255.255.0.0 (256 class C networks * 256 class D hosts = 65,536 IP addresses).
user@host: $ sudo ufw allow out to 192.168.0.0/16 comment "Trusted Class B network"
2.13. Close all ports for outgoing connections to a single class B network with subnet mask 255.255.0.0. If no longer needed, removing the policy will prevent unauthorized users from utilizing outgoing ports to access other machines on the Class B network.
user@host: $ sudo ufw delete allow out to 192.168.0.0/16
2.14. Open the port for incoming SSH from a trusted single Class A network with subnet mask 255.0.0.0 (256 Class B networks * 256 Class C networks * 256 Class D hosts = 16,777,216 IP addresses).
user@host: $ sudo ufw allow in from 10.0.0.0/8 to any port 22 proto tcp comment "Trusted Class A network for SSH"
2.15. Close the port for incoming SSH from a trusted single Class A network with subnet mask 255.0.0.0 if it is no longer trusted.
user@host: $ sudo ufw delete allow in from 10.0.0.0/8 to any port 22 proto tcp
3. SPECIAL CASES
There might be occasions where remote hosts will do something bogus on allowed ports and they need to be temporarily blocked. Rule precedence must be observed to ensure that host-blocking rules take place before connections happen on allowed ports.
3.1. Block all incoming connections from a remote host and insert it at the top of the rules list.
user@host: $ sudo ufw prepend deny in from 10.9.8.7 comment "Suspicious host"
3.2. Block all outgoing connections to a remote host and insert it at the top of the rules list.
user@host: $ sudo ufw prepend deny out to 10.9.8.7 comment "Suspicious host"
3.3. Unblock all incoming connections from a remote host.
user@host: $ sudo ufw delete deny in from 10.9.8.7
3.4. Unblock all outgoing connections to a remote host.
user@host: $ sudo ufw delete deny in from 10.9.8.7
==========
Comments
Post a Comment