Configuring the firewall on your VPS.
What ports to open, how to do it with ufw / firewalld, and how to undo it from the console if you lock yourself out.
Every internet-facing VPS needs a firewall. Default deny everything, allow only what you need.
Default state
When we provision a VPS, we enable the OS firewall (ufw on Ubuntu/Debian, firewalld on RHEL/Alma/Rocky) with these rules:
- 22 (SSH) — open
- 80 (HTTP) — open
- 443 (HTTPS) — open
- All other inbound — denied
That's enough to host websites and SSH in. If you need other services, open their ports explicitly.
Ubuntu/Debian (ufw)
Check status:
sudo ufw status verboseOpen a port:
sudo ufw allow 8080/tcp comment "App on 8080"Allow only from a specific IP:
sudo ufw allow from 1.2.3.4 to any port 5432 comment "Postgres from office"Remove a rule:
sudo ufw status numbered
sudo ufw delete 4 # delete rule #4Reset everything:
sudo ufw resetRHEL / AlmaLinux / Rocky (firewalld)
Check status:
sudo firewall-cmd --list-allOpen a port:
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reloadOpen a service (firewalld knows common ports by name):
sudo firewall-cmd --permanent --add-service=postgresql
sudo firewall-cmd --reloadRemove:
sudo firewall-cmd --permanent --remove-port=8080/tcp
sudo firewall-cmd --reloadCommon ports to open
| Port | Service |
|---|---|
| 21 | FTP (don't — use SFTP on 22) |
| 22 | SSH |
| 25 | SMTP server (incoming mail) |
| 53 | DNS (only if running your own DNS server) |
| 80 | HTTP |
| 110 | POP3 (legacy, prefer 995 over SSL) |
| 143 | IMAP (legacy, prefer 993 over SSL) |
| 443 | HTTPS |
| 465 | SMTP over SSL (sending mail) |
| 587 | SMTP submission (sending mail) |
| 993 | IMAP over SSL |
| 995 | POP3 over SSL |
| 3306 | MySQL — only open if remote DB access needed |
| 5432 | PostgreSQL — same |
| 6379 | Redis — almost never open to public |
| 8080, 8443, 3000 | Common app ports |
Critical: don't lock yourself out
Before any firewall change, verify SSH (port 22) is in the allow list. If you accidentally cut SSH, your only path back is the VPS web console in our panel.
Test before disconnecting:
sudo ufw enable
# Don't close your SSH session yet!
# Open another terminal, SSH in fresh.
# If new connection works → safe to close original.
# If new connection fails → use original session to fix.Recovering from a lockout
If you can't SSH in:
- Panel → VPS → [your VPS] → Console
- Log in via root (cloud-init password emailed at provisioning, or set during VPS creation)
- Disable the firewall:
sudo ufw disableorsudo systemctl stop firewalld - Re-add SSH rule, re-enable
The web console is independent of network — works even with the network completely broken.
fail2ban — automatic IP banning
For SSH and web servers under attack:
sudo apt install fail2ban # Debian/Ubuntu
sudo dnf install fail2ban # RHEL/Alma
sudo systemctl enable --now fail2banDefault config bans IPs that fail SSH 5 times in 10 minutes for 1 hour. Adjust in /etc/fail2ban/jail.local.