Skip to content

Instantly share code, notes, and snippets.

@VirtuBox

VirtuBox/ufw.sh

Last active August 15, 2019 13:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save VirtuBox/ec0ec0a55261456dc8da4b5cb55ede3c to your computer and use it in GitHub Desktop.
Save VirtuBox/ec0ec0a55261456dc8da4b5cb55ede3c to your computer and use it in GitHub Desktop.
Download ZIP
WordOps Firewall config
Raw
ufw.sh
#!/usr/bin/env bash
# get current ssh port
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
# define firewall rules
ufw logging low
ufw default allow outgoing
ufw default deny incoming
# default ssh port
ufw limit 22
# custom ssh port
if [ "$CURRENT_SSH_PORT" != "22" ];then
ufw limit "$CURRENT_SSH_PORT"
fi
# dns
ufw allow 53
# nginx
ufw allow http
ufw allow https
# ntp
ufw allow 123
# wordops backend
ufw allow 22222
@nsgoyat
Copy link

nsgoyat commented Aug 15, 2019

Hello Master,
Shouldn't there be "Allow" for the PHP 7.2, 7.2, Redis, MySQL, Netdata, Rsync ports? I usually set up the following. May you please tell me if I am doing anything wrong here:

sudo ufw allow 21 comment 'FTP'
sudo ufw allow 22 comment 'SSH'
sudo ufw allow 25 comment 'Mail'
sudo ufw allow 53 comment 'DNS'
sudo ufw allow http comment 'HTTP'
sudo ufw allow https comment 'HTTPS'
sudo ufw allow 9090 comment 'PHP 7.2'
sudo ufw allow 9093 comment 'PHP 7.3'
sudo ufw allow 6379 comment 'Redis'
sudo ufw allow 3306 comment 'MySQL'
sudo ufw allow 19999 comment 'Netdata'
sudo ufw allow OpenSSH
sudo ufw allow 873 comment 'Rsync'
sudo ufw allow 22222 comment 'EE/WO Admin'
sudo ufw allow 11371 comment 'GPG Key Server'

@VirtuBox
Copy link
Author

Hello @nsgoyat,
no, you shouldn't allow ports like PHP-FPM, Redis or MySQL.

  1. The line ufw default allow outgoing mean we allow outgoing traffic on all ports
  2. The line ufw default deny incoming mean we deny incoming traffic on all ports
  3. Then we open only the incoming ports we need, that mean SSH, DNS, HTTP/HTTPS, NTP, WordOps Backend.

But the firewall rules do not apply for the loopback interface (127.0.0.1). So it's not required and not recommended to open ports for service like MySQL. You are lucky because all those services are binded to 127.0.0.1, so that mean they do not listen on the network interface. Otherwise it could be a huge security breach because anybody would be able to bruteforce MySQL or to access data stored in Redis.

Other informations : I do not open port for Netdata because it's more secure to access it from WordOps dashboard, rather than giving access to metrics to everybody. Rsync isn't required because it work fine with SSH protocol.

@nsgoyat
Copy link

nsgoyat commented Aug 15, 2019

Thanks a ton for the great insights master. Will make the required changes right now.

Should I keep the following ones too or aren't they required:

sudo ufw allow 21 comment 'FTP'
sudo ufw allow 25 comment 'Mail'

@VirtuBox
Copy link
Author

If you only have WordOps installed on your server, the port 25 isn't required, and for the FTP, WordOps already handle this configuration during proftpd installation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment