Debian12.14 : SSH , UFW(Firewall)Setting

Contents

1. SSH Service Security Settings

The SSH service allows the root user to log in by default, and since the root user already knows the user name and can log in to the server with administrative privileges once the password is known, we will deny this setting.

SSH service configuration file changes

Modify the configuration file to change the SSH service settings, which is located in "/etc/ssh/sshd_config".
This time, we will proceed by changing the default SSH port from 22 to 2244.

# vi /etc/ssh/sshd_config

Line 14 : Uncomment and change the SSH connection port to 2244.
Port 2244

Line 16 : Uncomment
ListenAddress 0.0.0.0

Line 33 : Uncomment(Disable password authentication for root.)
PermitRootLogin prohibit-password

Restart SSH service

# systemctl restart sshd

2. Firewall Settings

Since Debian often uses software called "ufw" to configure firewalls, we will configure firewall settings using ufw.
Since ufw is not installed when the OS is installed, the ufw package must be installed prior to configuration. The following is a procedure to configure minimal filter settings after installation.
Filter rules to be set in ufw
• All packets forwarded to the server are rejected
• All packets sent from the server to the outside are allowed
• The first port to allow is the port for SSH

2.1 Installing the ufw package

①Install

# apt install -y ufw

➁Check the status of ufw

# systemctl status ufw
○ ufw.service - Uncomplicated firewall                                                                       
     Loaded: loaded (/lib/systemd/system/ufw.service; enabled; preset: enabled)
     Active: inactive (dead)
       Docs: man:ufw(8)

It can be confirmed that the ufw service is stopped by displaying "Active: inactive (dead)".

➂Enable ufw.

# systemctl enable ufw
Synchronizing state of ufw.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ufw

# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

④Launch ufw

# systemctl start ufw

# systemctl status ufw
● ufw.service - Uncomplicated firewall
     Loaded: loaded (/lib/systemd/system/ufw.service; enabled; preset: enabled)
     Active: active (exited) since Wed 2026-05-27 12:43:03 JST; 6s ago
       Docs: man:ufw(8)
    Process: 1551 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS)
   Main PID: 1551 (code=exited, status=0/SUCCESS)
        CPU: 5ms

May 27 12:43:03 Lepard systemd[1]: Starting ufw.service - Uncomplicated firewall...
May 27 12:43:03 Lepard ufw-init[1555]: Firewall already started, use 'force-reload'
May 27 12:43:03 Lepard systemd[1]: Finished ufw.service - Uncomplicated firewall.

You can see that ufw is running(active (exited))

2.2 Basic firewall rule configuration

When ufw is enabled, default firewall rules are applied. If you enable it as is, you may lose communication with the server, so set up some basic rules before enabling ufw.

2.2.1 Incoming packets Default rule settings

First, set the rules for incoming packets. The general rule is to deny all incoming packets except for specific communications. Execute "ufw default deny incoming" to basically deny all incoming packets.

# ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)

2.2.2 Outgoing packets Default rule settings

The general rule is to allow all outgoing packets. Execute "ufw default allow outgoing" to basically allow outgoing packets.

# ufw default allow outgoing
Default outgoing policy changed to 'allow'
(be sure to update your rules accordingly)

2.3 SSH Port Permissions

Enable automatic startup of ufw. but set SSH connection permissions first, as you may not be able to connect SSH remotely. The default SSH port is 22. Set permissions with the following command

# ufw allow ssh
Rule added
Rule added (v6)
# ufw reload
Firewall reloaded

If you have set your own 2244 port (e.g.)

# ufw allow 2244/tcp
Rule added
Rule added (v6)
# ufw reload
Firewall reloaded

2.4 Confirmation of ufw settings

Check the rules set in the firewall after enabling.

# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
2244/tcp                   ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
2244/tcp (v6)              ALLOW IN    Anywhere (v6)

2.5 Permission for web services and other services

You can also specify a port number to allow connections, or specify an application.
You can see a list of applications with the following command.

# vi /etc/services

For example, to enable http and https for web services

# ufw allow http
Rule added
Rule added (v6)
# ufw allow https
Rule added
Rule added (v6)
# ufw reload

2.6 Disable ipv6 ufw

# vi /etc/default/ufw
Line 7: Rewrite
IPV6=yes　→　IPV6=no

Restart the firewall after all work

# systemctl restart ufw

Go to top