How To Set Up a Firewall with UFW on Ubuntu 18.04

Step 1 — Using IPv6 with UFW (Optional)

This tutorial is written with IPv4 in mind, but will work for IPv6 as well as long as you enable it. If your Ubuntu server has IPv6 enabled, ensure that UFW is configured to support IPv6 so that it will manage firewall rules for IPv6 in addition to IPv4. To do this, open the UFW configuration with nano or your favorite editor.

  • sudo nano /etc/default/ufw

Then make sure the value of IPV6 is yes. It should look like this:

/etc/default/ufw excerpt
<span class="token assign-left variable">IPV6</span><span class="token operator">=</span><span class="highlight">yes</span>

Save and close the file. Now, when UFW is enabled, it will be configured to write both IPv4 and IPv6 firewall rules. However, before enabling UFW, we will want to ensure that your firewall is configured to allow you to connect via SSH. Let’s start with setting the default policies.

  • sudo ufw allow 443
  • sudo ufw allow https

 

Step 4 — Enabling UFW

To enable UFW, use this command:

  • sudo ufw enable

You will receive a warning that says the command may disrupt existing SSH connections. We already set up a firewall rule that allows SSH connections, so it should be fine to continue. Respond to the prompt with y and hit ENTER.

How to setup Fail2ban to detect Apache 404 attacks?

Now, let’s see how our Dedicated Engineers setup Fail2ban to block 404 scans and invalid request methods.

1) Create filter

Firstly, our Support Engineers create a filter in the location /etc/fail2ban/filter.d. Further, we add a set of rules to ban IPs that cause 404 errors.

For example, to monitor the Apache 404 requests, we create a filter file apache-404.conf in the location /etc/fail2ban/filter.d. The filter looks like this.

failregex = ^<HOST> - .* "(GET|POST|HEAD).*HTTP.*" 404 .*$
ignoreregex =.*(robots.txt|favicon.ico|jpg|png)

We define the regular expression to be matched under the failregex parameter. Here, the above regular expression identifies the IP address that is making too many 404 requests. And, the ignoreregex excludes the valid files such as robots.txt, favicon.io and the images.

2) Create a custom jail

Secondly, we add a new jail in the location /etc/fail2ban/jail.conf. This defines the Apache log path to be checked, maxretry, bantime etc.

For example, to create a custom jail that monitors the Apache 404 requests, we add the following code in the file /etc/fail2ban/jail.conf.

[apache-404]
enabled = true
port = http,https
filter = apache-404
logpath = /var/log/httpd/error_log
logpath = /var/log/httpd/access_log
bantime = 3600
findtime = 600
maxretry = 5

 Here, we update the apache log file under logpath parameter. Similarly, the bantime, species how many seconds an offending IP is banned for. We always set this value to an optimum level, so that it’s not short to affect the legitimate users, while not long enough favoring malicious users.

Further, the maxretry parameter specifies the total number of connection attempts. So, if a client makes retry attempts more than maxretry value within the time specified in findtime parameter, they will be banned.