Skip to main content

🛡️ Firewall and Fail2ban Setup

  • Set up UFW (Uncomplicated Firewall) to block unwanted ports
  • Install and configure Fail2ban to protect against brute-force attacks

🔥 Step 1: Install and Enable UFW

sudo apt install ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing

🔓 Step 2: Allow Required Ports

sudo ufw allow ssh
sudo ufw allow 30333/tcp  # Example: blockchain node port

👉 Add any other ports needed (e.g., for Grafana, Prometheus, or a custom SSH port).

✅ Step 3: Enable the Firewall

sudo ufw enable
sudo ufw status verbose

UFW will now enforce your port rules and block everything else by default.

🛡️ Step 4: Install Fail2ban

sudo apt install fail2ban -y

Fail2ban monitors SSH logs and bans IPs that trigger too many failed login attempts.

⚙️ Step 5: Configure Fail2ban for SSH

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local

Inside the file, locate or add the [sshd] section and enable it:

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
maxretry = 5

You can tweak maxretry, ban time, or add email alerts later.

✅ Step 6: Restart and Enable Fail2ban

sudo systemctl restart fail2ban
sudo systemctl enable fail2ban

🎉 Done!

You’ve now:

  • Enabled a default-deny firewall with only key ports open
  • Set up brute-force protection for SSH

Your server is much safer from network-level threats.

© 2025 TokioStack. All rights reserved.
DMCA.com Protection Status