3/3: Hardening the Remote Container.

Enabling, and Setting Up, UFW.


Yes, the Uncomplicated FireWall was installed on the homelab system. This time, I am installing the "hardening" tools within this container.

  • From the homelab terminal (CTRL + ALT + T) connected to the container, I check the UFW status:
sudo ufw status
  • I enable the UFW:
sudo ufw enable
  • I install a UFW rule:
sudo ufw allow from 192.168.?.?

NOTE: I use ip a in my workstation terminal to find my IP address. I replace the IP address above with the actual address for the workstation, e.g.

  • I check the status of the UFW and list the rules by number:
sudo ufw status numbered

NOTE 1: UFW will, by default, block all incoming traffic, including SSH and HTTP.

NOTE 2: I will update the UFW rules as I deploy other services to the container.

  • I delete a UFW rule by number if needed:
sudo ufw delete 1
  • I disable UFW if needed:
sudo ufw disable

Now that the UFW is setup, let's install another tool for hardening a system: Fail2Ban.


Installing, and Setting Up, Fail2Ban.


Fail2Ban protects Linux systems against many security threats, such as dictionary, DoS, DDoS, and brute-force attacks.

  • From the homelab terminal (CTRL + ALT + T) connected to the container, I install Fail2Ban:
sudo apt install fail2ban -y
  • I copy the jail.conf file as jail.local:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • I open the jail.local file in Nano:
sudo nano /etc/fail2ban/jail.local
  • I change a few (SSH-centric) settings in the jail.local file, then I save those changes, and exit the Nano editor:
bantime = 1d
maxretry = 3
enabled = true
port = ssh,22
  • I restart Fail2Ban:
sudo systemctl restart fail2ban
  • I check the status of Fail2Ban:
sudo systemctl status fail2ban
  • I enable Fail2Ban to autostart on boot:
sudo systemctl enable fail2ban

Now that I have hardened the container, it is time to return to the original post.

And remember: Be safe, be kind, be awesome.