Securing Your Server
UFW Basics
UFW, which stands for Uncomplicated Firewall, is a simple frontend for the host-based firewall on Linux machines called iptables. Enabling and configuring your host firewall is a crucial layer of defense against intrusions.
Note: The ufw command will likely need to be run with sudo privileges.
Enabling UFW and checking status
Check the status of UFW.
Enable/disable UFW.
List available application profiles.
Managing firewall rules
Allow SSH access to this host. (Add this rule before enabling UFW on your VPS! Otherwise, you'll be locked out!)
Allow incoming HTTPS traffic.
Allow incoming traffic on port 3000 on this host with a comment identifying the service.
Allow incoming UDP traffic on port 514
Deny traffic on port 21 on this host.
Show a numbered list of current rules.
Delete a particular rule from the numbered list.
There is a fantasic reference for UFW provided by Digital Ocean here: https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
Resolving the UFW and Docker issue (expand)
This might not be needed if the Docker compose files are bound to 127.0.0.1.
To Fix The Docker and UFW Security Flaw Without Disabling Iptables
Solution? - https://vpetersson.com/2014/11/03/the-dangers-of-ufw-docker.html - https://www.techrepublic.com/article/how-to-fix-the-docker-and-ufw-security-flaw/ - https://askubuntu.com/questions/652556/uncomplicated-firewall-ufw-is-not-blocking-anything-when-using-docker
Comprehensive Guides
If you want to learn more about Linux and security, there's isn't a more aptly named guide than How To Secure A Linux Server. This GitHub repo is essentially just a giant readme.me file that goes into each action with the thorough explanations, references, and commands; even special commands for the lazy!
How-To-Secure-A-Linux-Server-With-Ansible
We should also add there is an Ansible playbook based on the above recommendations, so you could easily complete all of the above recommendations in just a few steps! See How To Secure A Linux Server With Ansible.
Other good references:
CIS Benchmarks
The Center for Internet Security publishes a set of recommended configurations for securing most of the common server operating systems, from Ubunto, to RHEL, and even Windows Server. These recommendations are called CIS Benchmarks. Applying these configurations will resolve many of the vulnerabilities stemming from misconfigured servers. While nothing can make your server 100% hack-proof, these recommendation bring your systems to a baseline that's been adopted by corporations and government agencies alike.
While the CIS Benchmarks are a great baseline, remember that they are only that, a baseline. It's possible that your own needs might go against a particular recommendation. This is fine, as long as you are makine a conscious acceptance of the deviation and (if it's severe enough) attempt to mitigate the risk with a compensating control.
Applying CIS Benchmarks to Ubuntu Server
There are too many items in these recommendations to discuss individually- even too many to review yourself! Fortately, you can take advantage of a great tool called Ubuntu Security Guide (USG) which can apply CIS benchmarks and DISA-STIG profiles. However, access to USG is only for machines enrolled in an Ubuntu Pro subscription. But the good news is that you can enroll up to 5 Ubuntu machines (servers or workstations) for free into Ubunto Pro.
A great guide to using USG to apply the CIS Benchmarks to your server is found below.
Applying CIS Benchmarks with Ansbile
For an automated approach, you can also apply CIS Benchmarks with Ansible. For those instructions go to this page.