DEV Community

Marek
Marek

Posted on • Originally published at nubecode.eu

Don’t Lock Yourself Out: Enabling UFW on a Linux Server Without Breaking SSH

#linux #vps #devops

Setting up a firewall on your Linux server is essential for security — but one wrong move can lock you out of your own server via SSH. It happens more often than you'd think, and recovering from it can be frustrating (or expensive if you need to contact support).

If you do get locked out, most VPS providers offer a web console or rescue mode — but relying on that is slower and avoidable.

This tutorial walks you through enabling UFW (Uncomplicated Firewall) the safe way, with verification steps at every stage to ensure you maintain SSH access. Whether you're securing a new VPS, hardening an existing server, or just learning Linux system administration, this guide will help you set up your firewall with confidence.

What you'll learn:

  • How to check your current SSH configuration
  • The correct order to add firewall rules (SSH first!)
  • How to verify everything is working before and after enabling the firewall
  • A critical safety test that prevents lockouts

Time required: 5-10 minutes
Skill level: Beginner to intermediate (comfortable with SSH)
What you'll need: SSH access to your Linux server with sudo privileges

Step 1: Check Current SSH Connection
First, confirm you are connected via SSH and have sudo privileges. Use whoami command to see your username.
Check what port SSH is using (usually 22)
sudo netstat -tlnp | grep ssh
On newer systems, ss has replaced netstat
sudo ss -tlnp | grep ssh
It should show something like: tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
Note: Your SSH port might be different (like 2222). Remember this number!

Step 2: Allow SSH BEFORE Enabling Firewall
Method 1: If using default SSH port (22)
sudo ufw allow ssh

This rule allows the port associated with the SSH service - usually 22, as defined in /etc/services.

Method 2: If using custom SSH port (replace 2222 with your port)
sudo ufw allow 2222

Method 3: Be extra specific (replace YOUR_PORT with actual port)
sudo ufw allow YOUR_PORT/tcp

Verify the rule was added:
sudo ufw status verbose
Should show your SSH rule as "ALLOW IN"

Step 3: Add Other Required Rules
Allow web traffic (HTTP and HTTPS)
sudo ufw allow 'Nginx Full'

OR manually allow ports 80 and 443:

sudo ufw allow 80
sudo ufw allow 443
Enter fullscreen mode Exit fullscreen mode

Set default policies (block everything except what we allow)

sudo ufw default deny incoming
sudo ufw default allow outgoing
Enter fullscreen mode Exit fullscreen mode

Please note that these default policies won’t take effect until UFW is enabled (Step 5 of this tutorial).

_By adding allow rules first, you ensure existing SSH traffic is permitted the moment the firewall activates. _

Step 4: Test SSH Rule (Before Enabling)
Check UFW status (should still be inactive)
sudo ufw status
Should show: Status: inactive

Double-check SSH is allowed:
sudo ufw show added
Should show your SSH allow rule (from Step 2)

Step 5: Enable Firewall (The Moment of Truth)
Enable UFW with confirmation
sudo ufw enable
You'll see a warning like:"Command may disrupt existing ssh connections. Proceed with operation (y|n)?". Type: y.
If everything is correct, you should still be connected!

Step 6: Verify Everything Works
Check firewall status
sudo ufw status verbose
You should see something like:

Status: active
To                              Action          From
--                              ------          ----
22/tcp                               ALLOW IN    Anywhere
80,443/tcp (Nginx Full)              ALLOW IN    Anywhere
Enter fullscreen mode Exit fullscreen mode

Check rule priority, which can help with troubleshooting.
sudo ufw status numbered
You should see something like:

Status: active
     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere                  
[ 2] 80/tcp                     ALLOW IN    Anywhere                  
[ 3] 443/tcp                    ALLOW IN    Anywhere                  
[ 4] 22/tcp (v6)                ALLOW IN    Anywhere (v6)             
[ 5] 80/tcp (v6)                ALLOW IN    Anywhere (v6)             
[ 6] 443/tcp (v6)               ALLOW IN    Anywhere (v6)
Enter fullscreen mode Exit fullscreen mode

Note: By default, UFW mirrors rules for IPv6 if IPv6 is enabled. The (v6) rules are for IPv6 connections and are normal - UFW creates these automatically.

Key Differences from Regular status command.

Numbered rules: Each rule gets a bracketed number [1], [2], etc.
Why this matters:

  • You can delete specific rules by number: sudo ufw delete 3
  • Easier to see rule order (UFW processes rules top to bottom)
  • More compact than status verbose

With More Complex Rules

If you have more specific rules (like allowing from certain IPs), it looks like:

To                          Action              From
     --                          ------             ----
[ 1] 22/tcp                     ALLOW IN        192.168.1.100            
[ 2] 22/tcp                     ALLOW IN        Anywhere                  
[ 3] 80/tcp                     ALLOW IN        Anywhere                  
[ 4] 3306/tcp                   ALLOW IN        10.0.0.0/8
Enter fullscreen mode Exit fullscreen mode

Step 7: Critical safety test
After you’ve done all previous steps you should test that you can still connect. Open a NEW terminal window (DON’T CLOSE YOUR OLD WINDOW WHERE YOU CONFIGURED FIREWALL!) and SSH to your server. If this works, you're safe!
If this test fails, fix the issue in your original terminal window!

To finish, before you log out, confirm if:

  • SSH works in a second terminal,
  • ufw status shows ALLOW for your SSH port,
  • Default policy is set to deny incoming.

Have you ever accidentally locked yourself out of a server? What safety steps do you use?

Top comments (0)