2

So i'm running ubuntu on my vps. But the problem is that i have kids trying to figure out the password of the FTP connection and the VNC connection. (with succes).

Now i want to ask is there a way to disable ALL INCOMING connections except my ip and my friends ip?

Thanks in advance.

Cyber_Star
  • 913
  • 1
  • 9
  • 27

2 Answers2

0

Allow by specific port and IP address

sudo ufw allow from <target> to <destination> port <port number>

I got this from the UFW help page. You also need to block connections first and then allow a specific one.

Community
  • 1
Frank Schrijver
  • 531
  • 5
  • 18
  • I know that but is there a way to deny Everone ? so i did sudo ufw allow from MYIP. But how do i disable all the rest? – Cyber_Star May 17 '16 at 10:27
  • I believe you'd set up a config file with DENY ALL, then allow specific IPs using ALLOW 123.456.789.012. This answer contains a command you can execute in a terminal which will only persist for the current session... Once the machine reboots, the rule will be removed and you'd have to run it again. – XtrmJosh May 17 '16 at 10:30
  • i think you would want to deny just the vnc and ftp connections sudo ufw default deny incoming - to deny all incoming. it might be usefull to use this guide https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server – Frank Schrijver May 17 '16 at 10:47
0

I think the server firewall will sufficiently do this job but it's pretty risky:

https://help.ubuntu.com/12.04/serverguide/firewall.html

The problem is, if you block all traffic except from your IP address, what happens if your IP address changes? You're locked out from your machine. If you know you have 2 routes into the server both with static IP addresses, you should be fine, but use this with caution and be aware that the only solution might involve reformatting the machine and losing all data should you lock yourself out.

It's probably possible using the firewall to only permit traffic through certain ports in certain ways, so you could (for instance) set your SSH port to something completely non standard, and leave that port open to any IP (this will give you a fallback if you lock yourself out). Port scanners will find the open port, but if the people gaining access aren't skilled as per your implication, it will stop them.

XtrmJosh
  • 363
  • 1
  • 4
  • 15
  • Indeed it's very risky but i'll try to do it and change the ssh port to somthing random. Any idea what random should be how high i can go? – Cyber_Star May 17 '16 at 10:37
  • I'd recommend staying under 1024 as anything above that can accessed without root permissions. Pick a number, check what it's used for, and if you don't plan to use whatever it's used for, you're golden... If you don't play Doom, 666 is a good number! – XtrmJosh May 17 '16 at 11:49