UFW Baseline for an Anubiz VPS
UFW is the friendly wrapper around the kernel firewall and the right choice if you do not want to learn nftables syntax for a single VPS. Done right it gives you a deny-by-default posture, SSH rate limiting and per-app profiles in under a minute. This guide is for an Anubiz Romania or Finland VPS with the stock Ubuntu 24.04 cloud image, and shows the gotchas (UFW does not enable IPv6 by default on some images, the cloud image SSH default conflicts with too-aggressive allowlists).
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Step 1: Confirm UFW Is Installed
The cloud image has UFW installed but disabled. ufw status shows inactive. Enable IPv6: edit /etc/default/ufw set IPV6=yes. Default policy: ufw default deny incoming, ufw default allow outgoing.
Step 2: SSH First Or Lock Yourself Out
Always allow SSH before enabling: ufw limit OpenSSH (the limit verb adds rate limiting). If you renumbered SSH to a non-22 port, use the explicit form ufw limit 2222/tcp. Then ufw enable.
Step 3: App Profiles
Many packages install UFW profiles. ufw app list. Add nginx as ufw allow 'Nginx Full'. Avoid allow 80,443 hardcoded - the app profile survives port changes.
Step 4: Source-Restricted Rules
For admin endpoints (Grafana, phpMyAdmin) restrict by source: ufw allow from 198.51.100.7 to any port 3000 proto tcp. UFW handles IPv6 source restriction the same syntax.
Step 5: Logging
ufw logging medium writes blocked attempts to /var/log/ufw.log. Useful for spotting probes. Pipe to a log aggregator if you have one.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.