Enabling, and Setting Up, UFW.
Yes, the Uncomplicated FireWall was installed on the
homelab system. This time, I am installing the "hardening" tools within this container.
- From the
T) connected to the container, I check the UFW status:
sudo ufw status
- I enable the UFW:
sudo ufw enable
- I install a UFW rule:
sudo ufw allow from 192.168.?.?
NOTE: I use
ip ain my workstation terminal to find my IP address. I replace the IP address above with the actual address for the
workstation, e.g. 192.168.188.41.
- I check the status of the UFW and list the rules by number:
sudo ufw status numbered
NOTE 1: UFW will, by default, block all incoming traffic, including SSH and HTTP.
NOTE 2: I will update the UFW rules as I deploy other services to the container.
- I delete a UFW rule by number if needed:
sudo ufw delete 1
- I disable UFW if needed:
sudo ufw disable
Now that the UFW is setup, let's install another tool for hardening a system: Fail2Ban.
Installing, and Setting Up, Fail2Ban.
Fail2Ban protects Linux systems against many security threats, such as dictionary, DoS, DDoS, and brute-force attacks.
- From the
T) connected to the container, I install Fail2Ban:
sudo apt install fail2ban -y
- I copy the
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- I open the
jail.localfile in Nano:
sudo nano /etc/fail2ban/jail.local
- I change a few (SSH-centric) settings in the
jail.localfile, then I save those changes, and exit the Nano editor:
[DEFAULT] ⋮ bantime = 1d maxretry = 3 ⋮ [sshd] enabled = true port = ssh,22
- I restart Fail2Ban:
sudo systemctl restart fail2ban
- I check the status of Fail2Ban:
sudo systemctl status fail2ban
- I enable Fail2Ban to autostart on boot:
sudo systemctl enable fail2ban
Now that I have hardened the container, it is time to return to the original post.
And remember: Be safe, be kind, be awesome.