[lab sheet] Add section on firewall
All checks were successful
continuous-integration/laminar-elessar Build 48 succeeded in 58 seconds .

This commit is contained in:
Starbeamrainbowlabs 2019-08-15 16:42:32 +01:00
parent 17e8923dff
commit ab1fd4dbe8
Signed by: sbrl
GPG key ID: 1BE5172E637709C2

View file

@ -27,6 +27,76 @@
- `ufw` - `ufw`
- https://starbeamrainbowlabs.com/blog/article.php?article=posts/047-Linux-Security-Part-1.html - https://starbeamrainbowlabs.com/blog/article.php?article=posts/047-Linux-Security-Part-1.html
### Setting up a firewall
Firewalls control how data is allowed to travel in and out of your computer. In Ubuntu, a firewall called `ufw`, the 'uncomplicated firewall' is already present. It acts as a nice front-end to `iptables`, which I find to be difficult to understand and use. We will be using that as our firewall. If for some reason it is not installed already, install it like so:
```bash
sudo apt install ufw
```
### Activation
Ufw, by default, allows all outgoing connections and denies all incoming connections. This means that if you are using ssh to connect to your server, you will need to open the appropriate ports first *before* enabling ufw. Do that like this:
```bash
sudo ufw allow 22/tcp
```
ufw will automatically configure `iptables` to allow incoming connections on port 22 that use `tcp`. I will talk more about allowing and denying different connections later.
Just in case ufw blocks your ssh connection and you are unable to get back in, you can use another program called `at` to schedule the disabling of the ufw so that you can get back in again. If you don't have it installed, you can install it with `sudo apt install at`.
```bash
sudo at -vM now +10 minutes
ufw disable
^D
```
Where `^D` stands for `CTRL + D`. Now that you have it set such that ufw will disable itself in 10 minutes time, we go ahead and turn ufw on:
```bash
sudo ufw enable
```
<!-- TODO: check that `yes` is the correct response -->
It will warn you that this may disrupt any existing ssh connections you have open. Reply `yes` to this. Once it have been enabled successfully, you should check that you can still ssh into your server (if that is the method that you are using to control it). If yes, great! If not, ufw will disable itself in 10 minutes and then you can try again.
Now that we have ufw enabled, we can cancel the `at` job we created to disable ufw. Type `sudo atq` to list the jobs you have schedules, and `sudo atrm <number>` to remove it, where `<number>` is the number of the jobs that you want to delete.
You may also want to check the status of ufw to make sure that it is enabled, or to get a list of the rules that are currently in force. You can do that like this:
```bash
sudo ufw status
```
```
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere
```
#### Allowing connections
Since we're going to be setting up a web server, we'll need to allow ti through ur new firewall. Doing so is easy. Simply do this:
```bash
sudo ufw allow 80/tcp
```
Ufw will automatically configure iptables, in this example, to allow all connections on port 80 that use TCP. It will also configure it appropriately for both ipv4 and ipv6.
If you ever want to incoming connections on another port in the future, replace `80` with the port number you want to allow and `tcp` with `udp` if needed.
Ufw also understands several protocol names, and can configure itself accordingly:
```bash
sudo ufw allow http
sudo ufw allow imap
```
## Installing a Web Server ## Installing a Web Server
With our server secured, we can now install our web server. In this tutorial, we'll be using _[Nginx](https://nginx.org)_. With our server secured, we can now install our web server. In this tutorial, we'll be using _[Nginx](https://nginx.org)_.