How to Set Up a Firewall on Your VPS with UFW

So you just got a fresh VPS. First thing you do after logging in? Set up a firewall. Seriously. Your server is on the open internet, and bots are already scanning it. I checked the auth logs on a brand new VPS once. Within 20 minutes, there were over 300 failed SSH login attempts from IPs I'd never seen. That's just how the internet works.

UFW (Uncomplicated Firewall) is the easiest way to lock things down on Ubuntu. It's a frontend for iptables that doesn't require you to memorize cryptic syntax. Here's how to get it running properly.

Check if UFW is already installed

On most Ubuntu VPS images, UFW comes pre-installed but disabled. Check with:

sudo ufw status

If it says "inactive", good. It's there, just not turned on yet. If it's not installed at all:

sudo apt update && sudo apt install ufw -y

The golden rule: allow SSH first

This is the one thing you absolutely cannot mess up. If you enable UFW without allowing SSH, you lock yourself out of your own server. I've seen people do this. It's not fun.

sudo ufw allow 22/tcp

If you changed your SSH port to something else (which is actually a decent idea to reduce noise in your logs), use that port instead:

sudo ufw allow 2222/tcp

Allow the services you actually need

Only open what you use. Every open port is a potential attack surface. Here are the common ones:

# Web server
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Minecraft server
sudo ufw allow 25565/tcp

# OpenClaw dashboard
sudo ufw allow 18789/tcp

# MySQL (only if you need remote access, usually you don't)
# sudo ufw allow 3306/tcp

Notice I left MySQL commented out. Unless you have a very specific reason to expose your database to the internet, don't. Applications on the same server connect through localhost anyway.

Enable UFW

Once your rules are set:

sudo ufw enable

It'll warn you that existing SSH connections might be disrupted. If you allowed SSH in the step above, you're fine. Type y and hit enter.

Verify your rules

sudo ufw status verbose

You should see something like this:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
443/tcp                    ALLOW IN    Anywhere

The key line is Default: deny (incoming). That means everything is blocked unless you explicitly allowed it. Exactly what you want.

A few things people forget

UFW survives reboots. Once enabled, it stays enabled. Your rules persist. You don't need to re-run anything after a server restart.

Rate limiting SSH is worth it. Instead of just allowing SSH, you can rate-limit it:

sudo ufw delete allow 22/tcp
sudo ufw limit 22/tcp

This blocks an IP after 6 connection attempts within 30 seconds. It won't stop a determined attacker, but it kills 99% of the brute-force noise.

Need to remove a rule? Easy:

sudo ufw delete allow 80/tcp

Or list rules by number and delete by number:

sudo ufw status numbered
sudo ufw delete 3

That's it

Five minutes, and your VPS is significantly more secure than the default. UFW isn't the only security measure you should take. You should also disable root password login, use SSH keys, and keep your packages updated. But UFW is the single most impactful first step.

If you're setting up a VPS for the first time, Dedimax offers plans starting at 9.99€/month with DDoS protection included. The firewall handles application-level filtering, the DDoS protection handles the volumetric stuff. Together, they cover your bases.