Lock down a server to SSH only

Topic: Networking basics

Restrict inbound host firewall access to SSH (and optionally a management port) so no other services are reachable from the network. Use default-deny inbound and allow only TCP 22 (or your SSH port); allow established/related for outbound. Use this as a baseline for minimal exposure before adding other services.

Intent: How-to

Quick answer

  • Set default policy to deny inbound; allow TCP 22 (or your SSH port); allow established and related so return traffic for outbound connections is permitted. No other inbound ports allowed.
  • UFW: ufw default deny incoming; ufw default allow outgoing; ufw allow 22/tcp; ufw enable. nftables: policy drop on input chain; add rule accept established,related; add rule accept tcp dport 22; no other accept for input.
  • Test in a second SSH session before closing the first; ensure SSH is on the port you allowed (e.g. 22); if you use a different port, allow that port before enabling.

Prerequisites

Steps

  1. Allow SSH before enabling

    Add allow 22/tcp (or the port sshd listens on; check with ss -tlnp | grep ssh). If SSH is on 2222, allow 2222/tcp. Do not enable the firewall or set default deny until this rule is in place.

  2. Set default deny inbound

    UFW: ufw default deny incoming; ufw default allow outgoing. nftables: chain input policy drop; add rule accept ct state established,related; add rule accept tcp dport 22. So only SSH (and established) is allowed inbound.

  3. Enable and verify

    ufw enable or reload nftables; open a second SSH session and confirm you can still log in; from the first session run ufw status or nft list ruleset to confirm only 22 (and established) is allowed inbound.

  4. Add other ports only when needed

    When you deploy a new service (e.g. HTTP), add an allow rule for that port; do not open ports preemptively. Document each allowed port and why.

Summary

Lock down the host so only SSH (and established/related traffic) is allowed inbound. Use default-deny and a single allow for the SSH port. Test in a second session before closing the first. Use this as the baseline for a minimal server exposure.

Prerequisites

Steps

Step 1: Allow SSH before enabling

sudo ufw allow 22/tcp
# or if SSH is on 2222:
# sudo ufw allow 2222/tcp

Confirm the SSH port with ss -tlnp | grep ssh.

Step 2: Set default deny inbound

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

Or with nftables: default policy drop on input; allow established,related; allow tcp dport 22.

Step 3: Enable and verify

Open a second SSH session and log in. From the first session run ufw status or nft list ruleset and confirm only SSH (and established) is allowed for inbound.

Step 4: Add other ports only when needed

When you add a service (e.g. web server), add an allow rule for that port. Do not open ports in advance. Document each allowed port.

Verification

  • Only SSH (and established) is allowed inbound; other ports are not reachable from the network; SSH remains working.

Troubleshooting

Locked out — Use console; run ufw allow 22/tcp and ufw reload, or add the SSH allow rule in nftables and reload. If SSH is on a non-default port, allow that port.

Cannot reach new service — Add an allow rule for the service port and reload; verify the service is listening on 0.0.0.0.

Next steps

Continue to