WordOps Firewall config

ufw.sh

#!/usr/bin/env bash

# get current ssh port
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')

# define firewall rules
ufw logging low
ufw default allow outgoing
ufw default deny incoming

# default ssh port
ufw limit 22

# custom ssh port
if [ "$CURRENT_SSH_PORT" != "22" ];then
    ufw limit "$CURRENT_SSH_PORT"
fi

# dns
ufw allow 53

# nginx
ufw allow http
ufw allow https

# ntp
ufw allow 123

# wordops backend
ufw allow 22222

Hello @nsgoyat,
no, you shouldn't allow ports like PHP-FPM, Redis or MySQL.

1. The line ufw default allow outgoing mean we allow outgoing traffic on all ports
2. The line ufw default deny incoming mean we deny incoming traffic on all ports
3. Then we open only the incoming ports we need, that mean SSH, DNS, HTTP/HTTPS, NTP, WordOps Backend.

But the firewall rules do not apply for the loopback interface (127.0.0.1). So it's not required and not recommended to open ports for service like MySQL. You are lucky because all those services are binded to 127.0.0.1, so that mean they do not listen on the network interface. Otherwise it could be a huge security breach because anybody would be able to bruteforce MySQL or to access data stored in Redis.

Other informations : I do not open port for Netdata because it's more secure to access it from WordOps dashboard, rather than giving access to metrics to everybody. Rsync isn't required because it work fine with SSH protocol.

Thanks a ton for the great insights master. Will make the required changes right now.

Should I keep the following ones too or aren't they required:

sudo ufw allow 21 comment 'FTP'
sudo ufw allow 25 comment 'Mail'

If you only have WordOps installed on your server, the port 25 isn't required, and for the FTP, WordOps already handle this configuration during proftpd installation.