Don’t Lock Yourself Out: Enabling UFW on a Linux Server Without Breaking SSH

Setting up a firewall on your Linux server is essential for security — but one wrong move can lock you out of your own server via SSH. It happens more often than you'd think, and recovering from it can be frustrating (or expensive if you need to contact support). If you do get locked out, most VPS providers offer a web console or rescue mode — but relying on that is slower and avoidable. This tutorial walks you through enabling **UFW** (_Uncomplicated Firewall_) the safe way, with verification steps at every stage to ensure you maintain SSH access. Whether you're securing a new VPS, hardening an existing server, or just learning Linux system administration, this guide will help you set up your firewall with confidence. What you'll learn: - How to check your current SSH configuration - The correct order to add firewall rules (SSH first!) - How to verify everything is working before and after enabling the firewall - A critical safety test that prevents lockouts **Time required:** 5-10 minutes **Skill level:** Beginner to intermediate (comfortable with SSH) **What you'll need:** SSH access to your Linux server with sudo privileges --- **Step 1: Check Current SSH Connection** First, confirm you are connected via SSH and have sudo privileges. Use whoami command to see your username. Check what port SSH is using (usually 22) `sudo netstat -tlnp | grep ssh` On newer systems, ss has replaced netstat `sudo ss -tlnp | grep ssh` It should show something like: `tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*` _Note: Your SSH port might be different (like 2222). Remember this number!_ **Step 2: Allow SSH BEFORE Enabling Firewall** _Method 1: If using default SSH port (22)_ `sudo ufw allow ssh` This rule allows the port associated with the SSH service - usually 22, as defined in /etc/services. **Method 2: If using custom SSH port (replace 2222 with your port)** `sudo ufw allow 2222` **Method 3: Be extra specific (replace YOUR_PORT with actual port)** `sudo ufw allow YOUR_PORT/tcp` Verify the rule was added: `sudo ufw status verbose` Should show your SSH rule as "ALLOW IN" **Step 3: Add Other Required Rules** Allow web traffic (HTTP and HTTPS) `sudo ufw allow 'Nginx Full'` OR manually allow ports 80 and 443: ``` sudo ufw allow 80 sudo ufw allow 443 ``` Set default policies (block everything except what we allow) ``` sudo ufw default deny incoming sudo ufw default allow outgoing ``` _Please note that these default policies won’t take effect until UFW is enabled (Step 5 of this tutorial). By adding allow rules first, you ensure existing SSH traffic is permitted the moment the firewall activates._ **Step 4: Test SSH Rule (Before Enabling)** Check UFW status (should still be inactive) `sudo ufw status` Should show: `Status: inactive` Double-check SSH is allowed: `sudo ufw show added` Should show your SSH allow rule (from Step 2) **Step 5: Enable Firewall (The Moment of Truth)** Enable UFW with confirmation `sudo ufw enable` You'll see a warning like:"Command may disrupt existing ssh connections. Proceed with operation (y|n)?". Type: y. If everything is correct, you should still be connected! **Step 6: Verify Everything Works** Check firewall status `sudo ufw status verbose` You should see something like: ``` Status: active To Action From -- ------ ---- 22/tcp ALLOW IN Anywhere 80,443/tcp (Nginx Full) ALLOW IN Anywhere ``` Check rule priority, which can help with troubleshooting. `sudo ufw status numbered ` You should see something like: ``` Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN Anywhere [ 2] 80/tcp ALLOW IN Anywhere [ 3] 443/tcp ALLOW IN Anywhere [ 4] 22/tcp (v6) ALLOW IN Anywhere (v6) [ 5] 80/tcp (v6) ALLOW IN Anywhere (v6) [ 6] 443/tcp (v6) ALLOW IN Anywhere (v6) ``` _Note: By default, UFW mirrors rules for IPv6 if IPv6 is enabled. The (v6) rules are for IPv6 connections and are normal - UFW creates these automatically._ **Key Differences from Regular status command.** Numbered rules: Each rule gets a bracketed number [1], [2], etc. Why this matters: - You can delete specific rules by number: sudo ufw delete 3 - Easier to see rule order (UFW processes rules top to bottom) - More compact than status verbose **With More Complex Rules** If you have more specific rules (like allowing from certain IPs), it looks like: ``` To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN 192.168.1.100 [ 2] 22/tcp ALLOW IN Anywhere [ 3] 80/tcp ALLOW IN Anywhere [ 4] 3306/tcp ALLOW IN 10.0.0.0/8 ``` **Step 7: Critical safety test** After you’ve done all previous steps you should test that you can still connect. Open a NEW terminal window (DON’T CLOSE YOUR OLD WINDOW WHERE YOU CONFIGURED FIREWALL!) and SSH to your server. If this works, you're safe! If this test fails, fix the issue in your original terminal window! To finish, before you log out, confirm if: - SSH works in a second terminal, - ufw status shows ALLOW for your SSH port, - Default policy is set to deny incoming. Have you ever accidentally locked yourself out of a server? What safety steps do you use?