Linux UFW Firewall Hardening for Production
Security

Linux UFW Firewall Hardening for Production

  • Author :Liam K.
  • Date :March 08, 2026
  • Time :14 minutes

Before You Start

Never enable a firewall on a remote server until SSH access is explicitly allowed.

Step 1: Install and Reset UFW

bash
sudo apt update
sudo apt install -y ufw
sudo ufw --force reset

Step 2: Set Secure Defaults

bash
sudo ufw default deny incoming
sudo ufw default allow outgoing

Step 3: Allow SSH and Add Rate Limit

bash
sudo ufw allow 22/tcp
sudo ufw limit 22/tcp

Step 4: Allow Public Services

bash
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Step 5: Optional Rules for App Ports

bash
sudo ufw allow from 10.0.0.0/8 to any port 3000 proto tcp
sudo ufw allow from 192.168.0.0/16 to any port 5432 proto tcp

Step 6: Enable Logging

bash
sudo ufw logging medium

Step 7: Enable Firewall

bash
sudo ufw enable
sudo ufw status verbose

Step 8: Verify Active Rules and Port Exposure

bash
sudo ss -tulpen
sudo iptables -S
sudo ufw status numbered

Step 9: Remove Risky Rules Safely

bash
sudo ufw status numbered
sudo ufw delete <RULE_NUMBER>

Step 10: Basic Incident Workflow

bash
sudo tail -n 100 /var/log/ufw.log
sudo journalctl -u ssh -n 100 --no-pager

"A firewall policy should be boring and explicit. If a port is open, you should know exactly why."

Technical Author

Technical Author - Liam K.
Liam K.

System administrator and technical writer specializing in server infrastructure, security and deployment. Creating comprehensive guides to help you master server administration.

Related Guides

Ansible Dynamic Inventory for AWS at Scale
Ansible Dynamic Inventory for AWS at Scale

March 08, 2026

Ansible for Server Automation: Playbooks, Roles and Idempotence
Ansible for Server Automation: Playbooks, Roles and Idempotence

March 08, 2026

Ansible Role Testing with Molecule and CI Pipelines
Ansible Role Testing with Molecule and CI Pipelines

March 08, 2026

Topics