Securing your server is one of the first things you should do after provisioning. A properly configured firewall and basic security measures significantly reduce your risk of being compromised.
Configuring UFW (Ubuntu/Debian)
UFW (Uncomplicated Firewall) is the simplest way to manage firewall rules on Ubuntu and Debian. To set it up, first allow SSH so you do not lock yourself out: ufw allow 22/tcp. Then enable the firewall: ufw enable. Add rules for any other services you need, such as ufw allow 80/tcp for HTTP and ufw allow 443/tcp for HTTPS. Check your rules with ufw status.
Configuring firewalld (AlmaLinux/Rocky)
On RHEL-based distributions, firewalld is the default. Enable and start it with systemctl enable --now firewalld. Add services with firewall-cmd --permanent --add-service=ssh and firewall-cmd --permanent --add-service=http. Apply changes with firewall-cmd --reload.
Additional Security Best Practices
Change the SSH port: Moving SSH from the default port 22 to a non-standard port reduces automated brute-force attempts. Update /etc/ssh/sshd_config and remember to allow the new port in your firewall before restarting SSH.
Disable root login: After creating a non-root user with sudo access, disable direct root login in /etc/ssh/sshd_config by setting PermitRootLogin to no.
Install Fail2Ban: Fail2Ban monitors log files and automatically bans IP addresses that show malicious behaviour, such as repeated failed login attempts. Install it with your package manager and enable it.
Keep your system updated: Regularly run system updates to patch security vulnerabilities. Consider setting up unattended security updates for critical patches.
Critical: Always allow SSH (or your custom SSH port) in the firewall BEFORE enabling it. If you lock yourself out, you will need to use the console access in your Client Dashboard to regain access.