As one of the most widely deployed cloud server operating systems (OS), Ubuntu Server is a great platform to use in just about any cloud. The latest version (12.04 LTS) provides some great new enhancements spanning orchestration and provisioning, as well as OpenStack deployment for private clouds. But how’s the security – specifically, the firewalling?
Well, like prior versions of Ubuntu Server, 12.04 includes Linux iptables, – a powerful command line firewall tool, which can be managed by Ubuntu’s built-in ufw (Uncomplicated Firewall). Ufw is disabled, by default, so here are some basic commands that you’ll need to know if you plan to use it:
Five Ubuntu Server Basic, But Must-Know Firewall Commands
sudo ufw enable Enables ufw to manage iptables. sudo ufw allow 22 Open port 22 (or whatever port you specify) on your firewall. sudo ufw deny 22 Closes port 22. sudo ufw status Displays your firewall status. sudo ufw disable Disables ufw.
Challenges to Ubuntu Server ufw
There are a lot more commands that you can learn. A full guide is available at https://help.ubuntu.com/12.04/serverguide/firewall.html. But dig any deeper and things quickly become complex and your margin for error is small. You might, for example, open the wrong port, disable the wrong rule, open a port for an untrusted or shared / dynamic IP, and spend a lot of time in the process.
What’s more, unless you use your cloud providers firewall management utility (if they have one) atop ufw, you’re apt to leave certain administrative ports (e.g., SSH, phpMyAdmin, etc.) open so you can remotely connect. And this has the unfortunate consequence of exposing your servers to brute force attacks and exploits.
So, while knowing the above commands for ufw arms you with a baseline level of knowledge, the ufw tool doesn’t really lend itself to efficient management, especially when you’re faced with supporting more than one or two servers. I mean, imagine trying to manually enter command line ufw firewall rules individually for ten or twenty servers. Not fun!
A Better Approach to Managing Ubuntu Server Firewall
Fortunately, we at Dome9 have developed a firewall management tool for Ubuntu Server, and it supports all versions in all platforms – cloud, dedicated, and virtual private servers (VPS).
Dome9 lets you remotely manage your Ubuntu Server firewalls via our easy-to-use GUI (no more command line), which means your security is easier to manage and less prone to error. What’s more, Dome9 aggregates iptables firewall management for multiple servers. So instead of manually using command line for each Ubuntu Server, you can set one policy in our GUI for groups of servers. I hesitate to quote the Lord of the Rings (don’t want to be cheesy), but for the purpose of providing an analogy the line, “one ring to rule them all” really illustrates this capability well.
The Five Ubuntu Server Basic Firewall Commands Using Dome9
So we’ve said using Dome9 is faster, easier, and more secure, but don’t just take our word for it – see for yourself…
First off, there is no need to enable/disable ufw if you’re using Dome9. We manage iptables directly. So here’s what it looks like to configure a policy to open / close port 22 (SSH) in Dome9’s UI.
Notice that you have a simple and clean UI – no command line. What’s more, the ‘on-demand’ setting means port 22 is closed to the public Internet and available only when you click our ‘Get Access’ button our use our Instant Access feature in Chrome or your iPhone.
Now, here’s a screenshot of a user getting access to a remote server via port 22… 1 button, 1 click, and instantly we have time-based secure access (on-demand)!
Interested? Check out our Ubuntu Server page at http://www.dome9.com/security-challenges/ubuntu-firewall-management to learn more, and sign up now for Dome9 to make managing your Ubuntu Server firewall a breeze!