Server - Firewall 
21 Sep 25
For further security (on top of Fail2Ban) i implemented a firewall.
Fail2ban blocks IP addresses after failed attempts to login to the server, but try it enough and a bot might get lucky one day. The firewall prevents unauthorised addresses even trying their luck. Ideally i would restrict ssh access just to my (client) laptop IP but because of dynamic IPs, my IP address may change after powering the router on and off. So instead i used my ISPs range. Non-vodafone clients then have no chance and technically other vodafone clients could potentially try their luck, but would still get blocked by Fail2Ban.
$curl ifconfig.me [from client computer]
81.79.19.48 [client (current) IP]
$whois 81.79.19.48 | grep -iE 'inetnum'
inetnum: 81.79.0.0 - 81.79.63.255
$sudo ufw enable
$sudo ufw status verbose
$sudo ufw allow 80/tcp
$sudo ufw allow 443/tcp
$sudo ufw allow from 81.79.0.0/16 to any port 2222
[CIDR notation. /16 means the first 16 bits (the first two numbers, 81.79) are fixed and the the last 16 bits can vary (the x.y part in 81.79.x.y)]
Any issues:
$sudo ufw status numbered
$sudo ufw delete N (where N is the rule number to remove)
Fail2ban blocks IP addresses after failed attempts to login to the server, but try it enough and a bot might get lucky one day. The firewall prevents unauthorised addresses even trying their luck. Ideally i would restrict ssh access just to my (client) laptop IP but because of dynamic IPs, my IP address may change after powering the router on and off. So instead i used my ISPs range. Non-vodafone clients then have no chance and technically other vodafone clients could potentially try their luck, but would still get blocked by Fail2Ban.
$curl ifconfig.me [from client computer]
81.79.19.48 [client (current) IP]
$whois 81.79.19.48 | grep -iE 'inetnum'
inetnum: 81.79.0.0 - 81.79.63.255
$sudo ufw enable
$sudo ufw status verbose
$sudo ufw allow 80/tcp
$sudo ufw allow 443/tcp
$sudo ufw allow from 81.79.0.0/16 to any port 2222
[CIDR notation. /16 means the first 16 bits (the first two numbers, 81.79) are fixed and the the last 16 bits can vary (the x.y part in 81.79.x.y)]
Any issues:
$sudo ufw status numbered
$sudo ufw delete N (where N is the rule number to remove)
