How to Secure Your VPS with the UFW Firewall

UFW is preinstalled on Ubuntu but install it to be sure.

sudo apt update
sudo apt install -y ufw

Deny all incoming traffic by default and allow outgoing. From here you explicitly open only the ports you need.

sudo ufw default deny incoming   # block everything inbound unless explicitly allowed
sudo ufw default allow outgoing  # let the server reach out for updates, etc.

If you enable the firewall without allowing SSH first, your current connection drops and you are locked out. Allow OpenSSH now. If your SSH runs on a custom port, allow that port number instead.

sudo ufw allow OpenSSH   # opens port 22; use 'sudo ufw allow 2222/tcp' for a custom SSH port

Replace the plain allow with a rate-limited rule. UFW will block an IP that makes 6 or more connections within 30 seconds, blunting brute-force attacks.

sudo ufw limit OpenSSH   # rate-limit instead of plain allow to throttle repeated login attempts

Open web ports only if you actually host a website. Skip this for a database-only or app-only box.

sudo ufw allow 80/tcp    # HTTP (only if you serve web traffic)
sudo ufw allow 443/tcp   # HTTPS (only if you serve web traffic)

Now that SSH is allowed and rate-limited, enable the firewall and review the active ruleset.

sudo ufw enable                # confirm the prompt; your SSH session stays up because OpenSSH is allowed
sudo ufw status verbose        # confirm default deny incoming and your LIMIT/ALLOW rules
sudo ufw status numbered       # numbered list, handy for deleting a rule later