UFW + fail2ban

Exercises

1. 1. Switch on default-deny

   Concept: default policy. The default policy defines what happens to traffic with no matching rule. The safe choice: deny everything incoming, allow outgoing. Outgoing must stay allowed, otherwise the server can no longer do DNS lookups or updates.

   Set the default policy:

   sudo ufw default deny incoming
   sudo ufw default allow outgoing

   Check: sudo ufw status verbose shows deny (incoming) and allow (outgoing).

2. 2. Allow SSH port 22

   Concept: opening a port. Before you arm the firewall, you must explicitly allow SSH (port 22) — otherwise the firewall cuts your own connection in the next step.

   Allow TCP port 22:

   sudo ufw allow 22/tcp

   ⚠️ If you skip this and enable the firewall anyway, you lock yourself out for the rest of the session on a real server. On the lab VM the validator has its own access — you do not.

   Check: sudo ufw status lists a rule for 22/tcp.

3. 3. Enable UFW

   Concept: arming the firewall. Only with ufw enable do the default policy and rules actually become active — before that they are merely prepared.

   Enable the firewall:

   sudo ufw --force enable

   --force skips the interactive prompt (needed in the lab). Verify beforehand with sudo ufw status that port 22 is allowed.

   Check: sudo ufw status reports Status: active.

4. 4. Start fail2ban service

   Concept: a service. fail2ban runs as a background service. A service must be started (running now) and enabled (starts automatically at boot). enable --now does both in one step.

   Start and enable fail2ban:

   sudo systemctl enable --now fail2ban

   Check: systemctl is-active fail2ban reports active.

5. 5. Enable sshd jail

   Concept: a jail. A jail tells fail2ban which log file to watch and when to ban. The [sshd] jail observes SSH logins: too many failed attempts from one IP → that IP is temporarily banned.

   Create /etc/fail2ban/jail.local (sudo nano /etc/fail2ban/jail.local) with:

   [sshd]
   enabled = true

   Then reload fail2ban:

   sudo systemctl reload fail2ban

   ⚠️ Do not change the whitelist in /etc/fail2ban/jail.d/00-validator-whitelist.conf — otherwise you lock out the platform validator.

   Check: sudo fail2ban-client status sshd works (the jail is active).

6. 6. Run brute-force test

   Concept: verify, don't trust. "Looks done but isn't" is the worst trap in IT security. Instead of just looking at the config, you test live that fail2ban really bans.

   Run the built-in, purely defensive brute-force simulator (it only attacks localhost — no real target), then check the jail status:

   sudo /usr/local/bin/lab-bruteforce-simulator
   sudo fail2ban-client status sshd

   In the output Total banned must be at least 1 — fail2ban has banned the simulated attacker.

   Check: fail2ban-client status sshd shows at least one banned IP (Total banned: 1 or more).