Introduction — Why firewall configuration matters
A strong dedicated server firewall configuration is the foundation of a secure server. Proper server hardening and firewall configuration helps prevent unauthorized access, reduce attack surface, and protect sensitive data. This guide covers practical steps to how to secure a dedicated server with reliable, maintainable firewall rules.
Choose the right firewall tool
Popular choices:
- ufw — user-friendly on Ubuntu
- firewalld — dynamic zones for CentOS/Red Hat
- nftables / iptables — low-level powerful control
- Cloud-provider/network firewall — for perimeter-level rules
Pick the tool matching your OS and team expertise. You can combine host firewall rules with a network or cloud firewall for layered defense.
Core principles & best firewall settings for server security
- Default deny inbound, allow necessary outbound — close everything by default and open only required ports.
- Least privilege — allow only the minimum set of services and IPs.
- Logging and monitoring — enable logs and send them to a central location.
- Rate limiting and connection throttling — prevent brute-force and DoS-style bursts.
- Regular review — periodically review rules and blocklists.
Step-by-step firewall setup for dedicated server (Ubuntu + ufw example)
1. Harden SSH access
Move SSH off the default port or restrict which IPs can access port 22. Use SSH keys and disable password authentication.
# Example: basic SSH hardening
# Edit /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
# Optionally change the port:
Port 2222
2. Configure ufw with safe defaults
# Install and enable ufw (Ubuntu)
sudo apt update
sudo apt install -y ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow essential services
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw allow 2222/tcp # SSH on custom port (if changed)
sudo ufw allow from 203.0.113.0/24 to any port 22 proto tcp # example management subnet
# Enable logging and enable ufw
sudo ufw logging on
sudo ufw enable
3. Add rate-limits and anti-brute rules
UFW supports basic rate limiting:
sudo ufw limit ssh/tcp
For more advanced detection use fail2ban to block repeated SSH failures.
4. Protect the server at the network perimeter
Configure any cloud or hardware firewall to mirror host rules. Block unused ports in your hosting control panel (e.g., block RDP on Linux servers).
Advanced measures — server hardening and firewall configuration
- Application-level protections: Use a WAF (Web Application Firewall) in front of web apps.
- Process isolation: Run services inside containers and apply network policies.
- SELinux / AppArmor: Use mandatory access control for additional isolation.
- Regular patching & vulnerability scans: Integrate vulnerability scanning into your maintenance schedule.
- Zero trust access: Consider VPNs or bastion hosts for administrative access.
Quick reference: sample nftables (modern replacement for iptables)
# Minimal nftables example (requires nftables installed)
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
ct state established,related accept
iif "lo" accept
tcp dport { 80, 443 } accept
tcp dport 2222 accept # ssh on custom port
icmp type echo-request accept
counter log prefix "nftables_drop: " drop
}
}
Monitoring, logging & incident response
Forward firewall logs to syslog/ELK and create alerts for suspicious patterns. Use intrusion detection systems (IDS) like OWASP guidelines and run periodic audits. Keep an incident response playbook and include steps to isolate and recover compromised servers.
Helpful links & resources
- OWASP — Web application security guidance
- NIST — Security best practices and frameworks
- Fail2Ban — block repeated failed attempts
- BeStarHost security services and managed firewall: BeStarHost Security