In this guide: UFW: basic firewall. Allow only required ports.
Recommendation: keep a fallback access path (second SSH session, SSH key, provider console). Apply security changes in small steps and verify access after each change.
If something goes wrong: check the service is running, listening on the expected port, and that your firewall allows the connection. For web services, `nginx -t` and `journalctl -u nginx` are good starting points. After enabling UFW, confirm you did not lose SSH access. The `OpenSSH` rule must be active.
After security changes, always re-check login and access rights. If something breaks, rollback should be quick and obvious (fallback session/console).
Below you’ll find a quick checklist, verification commands, and common pitfalls. This helps you not only “do it”, but also confirm what a correct outcome looks like.
Quick checklist
- Keep a fallback access path (second SSH session/provider console).
- Do not expose unnecessary ports. Publish only what you need.
- Verify permissions on keys/configs (a frequent cause of issues).
- Make one small change at a time and verify the result immediately.
- Keep notes of what you changed (file/command/time).
Verify the result
# Verify / sanity checks
sudo sshd -t
sudo ufw status verbose || true
sudo fail2ban-client status sshd || true
sudo ss -lntup | head -n 80Common pitfalls
- Disabling passwords/root before verifying key login.
- Overly aggressive firewall rules (locking yourself out).
sudo apt update
sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow OpenSSH
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
sudo ufw status verboseDo not lock out SSH
Make sure OpenSSH is allowed before enabling UFW.
Need a VPS now?
Rent a WHITEWHALE VDS and launch in minutes.
European locations, transparent pricing, quick self-serve ordering.