UFW (Uncomplicated Firewall) is the easiest way to make your server secure by blocking all incoming connections on ports you do not want to use.
So at first, install ufw :
apt install ufw -y
## Check the status of ufw with
ufw status
## to identify what services are running on your server use
netstat -tulpn
## enable logging
ufw logging on
## Use the default rules to allow outgoing traffic and to deny all incoming traffic.
ufw default allow outgoing
ufw default deny incoming
## allow SSH - DNS - HTTP and HTTPS - NTP
ufw allow 22
ufw allow 53
ufw allow http
ufw allow https
ufw allow 123
## Librenms SNMP and Unix-agent
ufw allow 161
ufw allow 6556
## Netdata dashboard
ufw allow 19999
## Rsync
ufw allow 873
## EasyEngine default backend
ufw allow 22222
### Some other examples :
## Allow connections on all ports from an IP
ufw allow from 123.45.67.89
## Allow connections on all ports from a subnet
ufw allow from 123.45.67.89/24
## Specify a port + an IP + a protocol
ufw allow from 123.45.67.89 to any port 22 proto tcp
# Whitelist Cloudflare network IPv4+IPv6
wget https://raw.githubusercontent.com/Paul-Reed/cloudflare-ufw/master/cloudflare-ufw.sh
bash cloudflare-ufw.shWhen you have set all the rules you need, enable ufw with :
ufw enableCheck sometimes the server syslog to see if there is some missing rules in your configuration :
tail -f /var/log/syslogYou should see some connections blocked by UFW :
Jun XX 18:28:X server kernel: [ 8544.753005] [UFW BLOCK] IN=eth0 OUT= MAC=00:50:56:xx:xx:xx:00:ff:ff:ff:ff:xx:xx:00 SRC=xx.xx.173.85 DST=xx.xx.51.219 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=28251 PROTO=TCP SPT=59043 DPT=21021 WINDOW=1024 RES=0x00 SYN URGP=0SRC: IP source
DST: Destination IP
SPT: Port source
DPT: Destination Port