Implementing UFW for Web Server Protection

UFW provides an excellent starting point for web server firewall configuration. Install and configure UFW with web server-specific rules:

# Install UFW (Ubuntu/Debian)
sudo apt update
sudo apt install ufw

# Set default policies
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw default deny forward

# Allow SSH (restrict source IPs for better security)
sudo ufw allow from 203.0.113.0/24 to any port 22 proto tcp comment "SSH from office"

# Allow HTTP and HTTPS
sudo ufw allow 80/tcp comment "HTTP"
sudo ufw allow 443/tcp comment "HTTPS"

# Enable UFW
sudo ufw enable

# Check status
sudo ufw status verbose

Implement rate limiting to prevent abuse:

# Rate limit HTTP/HTTPS connections
sudo ufw limit 80/tcp comment "Rate limit HTTP"
sudo ufw limit 443/tcp comment "Rate limit HTTPS"

# More specific rate limiting
sudo ufw insert 1 limit in on eth0 from any to any port 80 proto tcp comment "HTTP rate limit"
sudo ufw insert 2 limit in on eth0 from any to any port 443 proto tcp comment "HTTPS rate limit"

# Allow established connections
sudo ufw allow established

Create application profiles for better management:

# Create Apache profile
sudo cat > /etc/ufw/applications.d/apache-secure << EOF
[Apache Secure]
title=Apache Web Server (HTTPS)
description=Apache web server with SSL/TLS support
ports=443/tcp

[Apache Full Secure]
title=Apache Web Server (HTTP,HTTPS)
description=Apache web server with HTTP redirect to HTTPS
ports=80,443/tcp
EOF

# Create Nginx profile
sudo cat > /etc/ufw/applications.d/nginx-secure << EOF
[Nginx Secure]
title=Nginx Web Server (HTTPS)
description=Nginx web server with SSL/TLS support
ports=443/tcp

[Nginx Full Secure]
title=Nginx Web Server (HTTP,HTTPS)
description=Nginx web server with HTTP redirect to HTTPS
ports=80,443/tcp
EOF

# Use application profiles
sudo ufw allow 'Apache Full Secure'
# or
sudo ufw allow 'Nginx Full Secure'