Get started

Configuring the firewall on your VPS.

What ports to open, how to do it with ufw / firewalld, and how to undo it from the console if you lock yourself out.

3 MIN READ

Every internet-facing VPS needs a firewall. Default deny everything, allow only what you need.

Default state

When we provision a VPS, we enable the OS firewall (ufw on Ubuntu/Debian, firewalld on RHEL/Alma/Rocky) with these rules:

  • 22 (SSH) — open
  • 80 (HTTP) — open
  • 443 (HTTPS) — open
  • All other inbound — denied

That's enough to host websites and SSH in. If you need other services, open their ports explicitly.

Ubuntu/Debian (ufw)

Check status:

sudo ufw status verbose

Open a port:

sudo ufw allow 8080/tcp comment "App on 8080"

Allow only from a specific IP:

sudo ufw allow from 1.2.3.4 to any port 5432 comment "Postgres from office"

Remove a rule:

sudo ufw status numbered
sudo ufw delete 4   # delete rule #4

Reset everything:

sudo ufw reset

RHEL / AlmaLinux / Rocky (firewalld)

Check status:

sudo firewall-cmd --list-all

Open a port:

sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reload

Open a service (firewalld knows common ports by name):

sudo firewall-cmd --permanent --add-service=postgresql
sudo firewall-cmd --reload

Remove:

sudo firewall-cmd --permanent --remove-port=8080/tcp
sudo firewall-cmd --reload

Common ports to open

PortService
21FTP (don't — use SFTP on 22)
22SSH
25SMTP server (incoming mail)
53DNS (only if running your own DNS server)
80HTTP
110POP3 (legacy, prefer 995 over SSL)
143IMAP (legacy, prefer 993 over SSL)
443HTTPS
465SMTP over SSL (sending mail)
587SMTP submission (sending mail)
993IMAP over SSL
995POP3 over SSL
3306MySQL — only open if remote DB access needed
5432PostgreSQL — same
6379Redis — almost never open to public
8080, 8443, 3000Common app ports

Critical: don't lock yourself out

Before any firewall change, verify SSH (port 22) is in the allow list. If you accidentally cut SSH, your only path back is the VPS web console in our panel.

Test before disconnecting:

sudo ufw enable
# Don't close your SSH session yet!
# Open another terminal, SSH in fresh.
# If new connection works → safe to close original.
# If new connection fails → use original session to fix.

Recovering from a lockout

If you can't SSH in:

  1. Panel → VPS → [your VPS] → Console
  2. Log in via root (cloud-init password emailed at provisioning, or set during VPS creation)
  3. Disable the firewall: sudo ufw disable or sudo systemctl stop firewalld
  4. Re-add SSH rule, re-enable

The web console is independent of network — works even with the network completely broken.

fail2ban — automatic IP banning

For SSH and web servers under attack:

sudo apt install fail2ban    # Debian/Ubuntu
sudo dnf install fail2ban    # RHEL/Alma
sudo systemctl enable --now fail2ban

Default config bans IPs that fail SSH 5 times in 10 minutes for 1 hour. Adjust in /etc/fail2ban/jail.local.

More in VPS & servers

SSH into your VPS — complete guide

Connect to your Rivervo VPS via SSH from Mac, Windows, or Linux. Key-based auth setup, common commands, troubleshooting.

Choosing an OS for your VPS.

Ubuntu vs Debian vs AlmaLinux vs others — when each one is the right pick for your VPS workload.

Reboot, rebuild, and snapshot — VPS lifecycle operations.

When to reboot, when to rebuild, and how snapshots save you when you break something.

Still stuck?

Chat with a real engineer — median response under 3 minutes, any time of day.

Contact support