[lab sheet] Add section on firewall
All checks were successful
continuous-integration/laminar-elessar Build 48 succeeded in 58 seconds .
All checks were successful
continuous-integration/laminar-elessar Build 48 succeeded in 58 seconds .
This commit is contained in:
parent
17e8923dff
commit
ab1fd4dbe8
1 changed files with 70 additions and 0 deletions
|
@ -27,6 +27,76 @@
|
|||
- `ufw`
|
||||
- https://starbeamrainbowlabs.com/blog/article.php?article=posts/047-Linux-Security-Part-1.html
|
||||
|
||||
### Setting up a firewall
|
||||
Firewalls control how data is allowed to travel in and out of your computer. In Ubuntu, a firewall called `ufw`, the 'uncomplicated firewall' is already present. It acts as a nice front-end to `iptables`, which I find to be difficult to understand and use. We will be using that as our firewall. If for some reason it is not installed already, install it like so:
|
||||
|
||||
```bash
|
||||
sudo apt install ufw
|
||||
```
|
||||
|
||||
### Activation
|
||||
|
||||
Ufw, by default, allows all outgoing connections and denies all incoming connections. This means that if you are using ssh to connect to your server, you will need to open the appropriate ports first *before* enabling ufw. Do that like this:
|
||||
|
||||
```bash
|
||||
sudo ufw allow 22/tcp
|
||||
```
|
||||
|
||||
ufw will automatically configure `iptables` to allow incoming connections on port 22 that use `tcp`. I will talk more about allowing and denying different connections later.
|
||||
|
||||
Just in case ufw blocks your ssh connection and you are unable to get back in, you can use another program called `at` to schedule the disabling of the ufw so that you can get back in again. If you don't have it installed, you can install it with `sudo apt install at`.
|
||||
|
||||
```bash
|
||||
sudo at -vM now +10 minutes
|
||||
ufw disable
|
||||
^D
|
||||
```
|
||||
|
||||
Where `^D` stands for `CTRL + D`. Now that you have it set such that ufw will disable itself in 10 minutes time, we go ahead and turn ufw on:
|
||||
|
||||
```bash
|
||||
sudo ufw enable
|
||||
```
|
||||
|
||||
<!-- TODO: check that `yes` is the correct response -->
|
||||
It will warn you that this may disrupt any existing ssh connections you have open. Reply `yes` to this. Once it have been enabled successfully, you should check that you can still ssh into your server (if that is the method that you are using to control it). If yes, great! If not, ufw will disable itself in 10 minutes and then you can try again.
|
||||
|
||||
Now that we have ufw enabled, we can cancel the `at` job we created to disable ufw. Type `sudo atq` to list the jobs you have schedules, and `sudo atrm <number>` to remove it, where `<number>` is the number of the jobs that you want to delete.
|
||||
|
||||
You may also want to check the status of ufw to make sure that it is enabled, or to get a list of the rules that are currently in force. You can do that like this:
|
||||
|
||||
```bash
|
||||
sudo ufw status
|
||||
```
|
||||
|
||||
```
|
||||
Status: active
|
||||
|
||||
To Action From
|
||||
-- ------ ----
|
||||
22/tcp ALLOW Anywhere
|
||||
22/tcp (v6) ALLOW Anywhere
|
||||
```
|
||||
|
||||
#### Allowing connections
|
||||
Since we're going to be setting up a web server, we'll need to allow ti through ur new firewall. Doing so is easy. Simply do this:
|
||||
|
||||
```bash
|
||||
sudo ufw allow 80/tcp
|
||||
```
|
||||
|
||||
Ufw will automatically configure iptables, in this example, to allow all connections on port 80 that use TCP. It will also configure it appropriately for both ipv4 and ipv6.
|
||||
|
||||
If you ever want to incoming connections on another port in the future, replace `80` with the port number you want to allow and `tcp` with `udp` if needed.
|
||||
|
||||
Ufw also understands several protocol names, and can configure itself accordingly:
|
||||
|
||||
```bash
|
||||
sudo ufw allow http
|
||||
sudo ufw allow imap
|
||||
```
|
||||
|
||||
|
||||
## Installing a Web Server
|
||||
With our server secured, we can now install our web server. In this tutorial, we'll be using _[Nginx](https://nginx.org)_.
|
||||
|
||||
|
|
Loading…
Reference in a new issue