[tonymet]

why is ssh open to the internet to begin with?

ufw is the first thing I install, even on a "private" network and here's why.

I recently installed a router with IPv4 and IPV6. I later found out that IPv6 was globally addressed with no firewall.

Always run ufw and begin by shutting off everything to the internet, then only open up what you need.

[Msurrow]

Perhaps because the VPS is hosted somewhere remote and (s)he needs to ssh into it. Why ask questions in such an arrogant manner to begin with.

[tonymet]

then restrict IPs to the administrative network rather than the entire internet.

[darkwater]

Well, if you want to connect to your home LAN from your phone anywhere in the world you either need SSH or some VPN port opened either. Alternatively you can use some SaaS server where everything initiate the connection against the remote SaaS endpoint, but if you want to stay 100% local you need to open a port.

For ssh changing the port to something else usually takes out 99% of bots.

[tonymet]

Most VPS systems have an API to manage security group/ firewall.

When you arrive at the new location, call the API to open up the new address.

Here is the API on AWS https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_A...

Alternatively run a VPN or TailScale

[globular-toast]

Erm, because he wanted to use SSH?

Using firewall rules on the hosts is like a fake firewall. Stuff on the hosts can override those rules. Like docker. After all, the host is actually receiving the traffic.

A router isn't a firewall. Lesson learnt: don't assume any "router" device is also a firewall. Last I heard about half of ISP issued routers don't run any kind of stateful firewall for IPv6. The only reason they do for IPv4 is NAT.

[tonymet]

linux firewall (ufw or iptables) is used to restrict the client IP address range. It's best to restrict access to a limited network range .

the firewall is a kernel config. if configured properly no app can bypass

A router that includes a firewall is a firewall. In my case the firewall was broken.

[jeroenhd]

> I later found out that IPv6 was globally addressed with no firewall.

Crazy! What brand router was this? I've never seen an IPv6 capable router configured to permit all traffic by default.

[tonymet]

MSI. Many router vendors have sloppy configuration . It's always good to double check.

[BenjiWiebe]

Me neither, and I've even checked an old ISP-provided router.

[psd1]

Mate. The shit that a retail ISP will send to the punters. Adjust your expectations sharply downward.

The reason this crap ends up in botnets is because it suits retail ISPs to have a common password for their own access. I've found that password on a forum and used it to get higher privileges than I had with my own login. And yeah, web management over the WAN was enabled by default.

[ykonstant]

Hey, a question: I also use ufw because I don't understand firewall rules properly. Is there a benefit for me, a desktop user who would like to set up a tiny home network and possibly setup an SSH server to connect from afar, to delve into iptables/nftables instead? I tried once, but couldn't understand how the rules work.

Also, if there is a ground-up explanation of firewall rules, their uses and misuses, and illustrative examples, I'd love if people could share.

[tonymet]

UFW is a lot simpler than IPTABLES .

Here's a good cookbook-style guide on ufw https://www.digitalocean.com/community/tutorials/how-to-set-...