- Configure a host-based firewall (UFW)
NOTE: If you are running on a VPS, check the control panel and ensure that any open ports on your host are also updated within the VPS control panel (it may have an additional firewall between your host and the internet)
Description | Command | 1 | Create basic firewall rules to secure the host, copy and paste each of the commands in order.
Port 80/443 (http/https) are required only if you do not have your own SSL certificate (used for validation of the DNS record when obtaining a certificate from letsencrypt)注意:如果您在VPS上运行,请检查控制面板并确保主机上的所有打开端口也在VPS控制面板中更新(它可能在主机和Internet之间有一个额外的防火墙)
| 描述 | 指令 |
|---|
| 1 | 创建基本防火墙规则以保护主机,按顺序复制和粘贴每个命令。
仅当您没有自己的SSL证书时才需要端口80/443(http / https)(用于从letsencrypt获取证书时验证DNS记录)
|
| Code Block |
|---|
sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow ssh/tcp
sudo ufw limit ssh/tcp
sudo ufw allow http/tcp
sudo ufw allow https/tcp
sudo ufw allow 9033/tcp
sudo ufw logging on
sudo ufw -f enable
sudo ufw status |
| Panel |
|---|
| borderColor | grey |
|---|
| bgColor | black |
|---|
| titleColor | white |
|---|
| borderWidth | 2 |
|---|
| titleBGColor | black |
|---|
| borderStyle | solid |
|---|
| title | Example Output |
|---|
| zenops@zsec01:~$ sudo ufw status
Status: active To......................................................................Action..................From
--.......................................................................-------...................-----
22/tcp..............................................................LIMIT....................Anywhere
80/tcp..............................................................ALLOW................Anywhere
443/tcp............................................................ALLOW...............Anywhere
9033/tcp..........................................................ALLOW...............Anywhere
22/tcp.(v6).......................................................LIMIT..................Anywhere.(v6)
80/tcp.(v6).......................................................ALLOW..............Anywhere.(v6)
443/tcp.(v6)....................................................ALLOW...............Anywhere.(v6)
9033/tcp.(v6)..................................................ALLOW..............Anywhere.(v6) |
|
| 2 | UFW generally installs, enabled at boot by default, to be certain that it starts at boot, enable it with systemctlUFW通常安装,默认情况下在启动时启用,以确保它在启动时启动,使用systemctl启用它 |
| Code Block |
|---|
sudo systemctl enable ufw |
|
Part 5 of 11 - Securing the Host
| Insert excerpt |
|---|
| Social Links友情链接Social Links |
|---|
| 友情链接 |
|---|
| nopanel | true |
|---|
|