Lesson 5: Firewall, SSH & Remote Access

1

Understand the Attack Surface

What is exposed to the internet?

What is an attack surface?

Every open port, every running service, and every exposed login is a potential entry point for attackers. When you port-forwarded ports 80 and 443, you also exposed port 22 (SSH) if your router forwards it. The goal is to minimize what is reachable while keeping what you need functional.

Common threats to home servers

Brute force SSH attacks — Automated bots try thousands of username/password combinations
Port scanning — Attackers probe every port to find running services
Outdated software — Unpatched Apache or OpenSSL has known vulnerabilities
Weak passwords — Dictionary attacks succeed against common passwords

I understand what ports and services are exposed on my server.

2

Configure UFW Properly

Deny by default, allow only what you need

UFW philosophy

Uncomplicated Firewall uses a simple rule: deny everything, then explicitly allow only the traffic you need. This is the foundation of secure networking. Every rule you add is a deliberate hole in the wall.

Set the default policy

sudo ufw default deny incoming sudo ufw default allow outgoing

Allow only necessary ports

sudo ufw allow ssh sudo ufw allow 'Apache Full'

ssh opens port 22 — needed for remote management
'Apache Full' opens ports 80 and 443 — needed for web traffic
Everything else is silently dropped

Enable and verify

sudo ufw enable sudo ufw status verbose

⚠️ Locked yourself out?

If you are SSH'd in and UFW blocks port 22, your current connection usually stays alive. But new connections fail. If you get locked out, you must physically access the server and run sudo ufw disable from the local console.

UFW is enabled and only allows SSH and Apache.

3

Harden SSH

Key-based authentication and configuration

Why password login is dangerous

Passwords can be guessed, brute-forced, or leaked. SSH keys use public-key cryptography: a private key stays on your computer, and a public key sits on the server. The server encrypts a challenge with the public key; only your private key can decrypt it. No password ever travels over the wire.

Generate an SSH key on your Mac

ssh-keygen -t ed25519 -C "your_email@example.com"

Press Enter to accept the default save location
Enter a passphrase (optional but recommended)
This creates ~/.ssh/id_ed25519 (private) and ~/.ssh/id_ed25519.pub (public)

Copy the public key to your server

ssh-copy-id tiahchia@192.168.88.8

This appends your public key to ~/.ssh/authorized_keys on the server
After this, you can log in without typing your password

Disable password authentication

sudo nano /etc/ssh/sshd_config

Find and change these lines:

PasswordAuthentication no PermitRootLogin no MaxAuthTries 3

Restart SSH

sudo systemctl restart ssh

⚠️ Critical warning

Before disabling password authentication, verify your key login works in a separate terminal window. If you lock yourself out, you need physical access to the server to fix it.

I can log in with my SSH key and password authentication is disabled.

4

Automate Security Updates

Keep your system patched without manual work

Why unattended updates matter

Security patches are released constantly. If you forget to update, your server becomes vulnerable to known exploits. unattended-upgrades automatically installs security patches in the background, so you are always protected without remembering to run apt upgrade.

Install and configure

sudo apt install unattended-upgrades -y sudo dpkg-reconfigure -plow unattended-upgrades

Select Yes when it asks if you want automatic updates
This enables the default security-only update policy

Verify it is working

sudo unattended-upgrades --dry-run

This simulates what would be installed without actually doing it
You should see a list of packages that would be updated

Check logs

cat /var/log/unattended-upgrades/unattended-upgrades.log

Unattended upgrades are installed, enabled, and the dry-run shows pending updates.