Enabling, and Setting Up, UFW.

Yes, the Uncomplicated FireWall was installed on the homelab system. This time, I am installing the "hardening" tools within this container.

• From the homelab terminal (CTRL + ALT + T) connected to the container, I check the UFW status:

sudo ufw status

• I enable the UFW:

sudo ufw enable

• I install a UFW rule:

sudo ufw allow from 192.168.?.?

NOTE: I use ip a in my workstation terminal to find my IP address. I replace the IP address above with the actual address for the workstation, e.g. 192.168.188.41.

• I check the status of the UFW and list the rules by number:

sudo ufw status numbered

NOTE 1: UFW will, by default, block all incoming traffic, including SSH and HTTP.

NOTE 2: I will update the UFW rules as I deploy other services to the container.

• I delete a UFW rule by number if needed:

sudo ufw delete 1

• I disable UFW if needed:

sudo ufw disable

Now that the UFW is setup, let's install another tool for hardening a system: Fail2Ban.

Attribution:
digitalocean.com

Installing, and Setting Up, Fail2Ban.

Fail2Ban protects Linux systems against many security threats, such as dictionary, DoS, DDoS, and brute-force attacks.

• From the homelab terminal (CTRL + ALT + T) connected to the container, I install Fail2Ban:

sudo apt install fail2ban -y

• I copy the jail.conf file as jail.local:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

• I open the jail.local file in Nano:

sudo nano /etc/fail2ban/jail.local

• I change a few (SSH-centric) settings in the jail.local file, then I save those changes, and exit the Nano editor:

[DEFAULT]
⋮
bantime = 1d
maxretry = 3
⋮
[sshd]
enabled = true
port = ssh,22

• I restart Fail2Ban:

sudo systemctl restart fail2ban

• I check the status of Fail2Ban:

sudo systemctl status fail2ban

• I enable Fail2Ban to autostart on boot:

sudo systemctl enable fail2ban

Now that I have hardened the container, it is time to return to the original post.

And remember: Be safe, be kind, be awesome.