Running a VPN or proxy service on a server can have several risks. As
the owner of the IP, your users are responsible for any abuse or illegal
activity conducted through your service. To protect yourself from this
issue, you need to take proactive measures to protect your
reputation.
Strict Mode:
Whitelisting
One way to make sure your server is not being abused is to only allow
certain activities. This approach which is called whitelisting, doesn’t
fully prevent abuse; your users can still attack other people and result
in your server’s suspension. However, it can make the abuse process a
lot harder, and it’s very likely to drive away abusers from your
services (and, unfortunately, some legitimate users as well).
What we’re proposing here is to drop all incoming and outgoing
packets from your server except the ones that are absolutely needed.
Here’s how you can do this.
The only thing you need to consider before following the guide is
that you shouldn’t have any other firewalls enabled on your server.
Although this guide covers the process on Ubuntu, you don’t need to have
it as your OS. The logic of the process is the same for other OSs as
well.
1. Installing UFW
First, you need to install UFW.
sudo apt install ufw2.
Blocking all incoming and outgoing connections
Make sure you disable UFW because the following commands may
interrupt your connection to your server:
sudo ufw disablethe commands below will basically drop every packet that tries to
enter or exit your server. later, we’ll only allow the connections that
our users need:
sudo ufw default deny incoming
sudo ufw default deny outgoing3. Allowing
yourself to connect to your server
Now we’ll allow incoming connections to port 22, which is the port
used for establishing SSH connections. Although it’s always a good idea
to change your SSH port to something else:
sudo ufw allow in 22/tcp comment “Allows me to SSH to my server”While outgoing connections are already blocked, we’ll specifically
block all outgoing packets that have port 22 as their destination (in
case you change the default policy in the future). This will make both
you and your users unable to connect to other servers using SSH on port
22. While it sounds troublesome, it’ll actually resolve one of the most
common complaints that result in your server’s suspension. By using this
command, no user will be able to perform SSH brute force attacks from
your server:
sudo ufw deny out 22/tcp comment “Stops SSH brute force”After allowing incoming connections to port 22, you can enable your
firewall without being disconnected from your server:
sudo ufw enableIf by any chance you’re disconnected from your server, you could use
VNC to gain access to your server again and disable your firewall.
4.
Allowing your users to connect to your server to get proxy/VPN
services
Clearly, your users need to connect to and use your server’s proxy
services. Dropping all incoming connections makes this impossible for
them. So, we need to allow the proxy/VPN ports used by the users for
example, let’s say we want to allow users to connect to port 1194, which
is usually used for OpenVPN. To do so, type the following command:
sudo ufw allow in 1194/tcp comment “OpenVPN port for users”Or, if you’re running OpenVPN over UDP:
sudo ufw allow in 1194/udp comment “OpenVPN port for users”The logic is the same for other VPN and proxy servers as well, just
find out which port your users need to connect to and allow incoming
connections to it.
Now, your users can connect to your server and to the VPN, but they
won’t be able to make any connections to the outside world. This is the
exact purpose of whitelisting: users won’t be able to connect to any
ports unless we allow them to. Doing this minimizes the chance of
getting abuse reports.
5.
Allowing your users to visit websites and use
applications
Now we will allow outgoing traffic to ports that are used to browse
the web, and make API calls on web servers. To do so, you should allow
the TCP port 80 and the TCP port 443. Allowing UDP port 443 as well will
enable your users to make HTTP3 connections:
sudo ufw allow out 80/tcp comment “HTTP connections”
sudo ufw allow out 443 comment “HTTPS and HTTP3 connections”6. Allowing
different services on a need basis
Usually, opening ports 80 and 443 is enough, but to get the full
functionality of certain applications or software, you may need to allow
your users to use other ports as well.
You are generally advised to do your own research and only allow
ports if they’re absolutely required. Each major application has a
networking documentation with information for network administrators
like you. In these documents, you can find the ports that the
applications use and whitelist them as well. We’ll list a few popular
ones as examples.
WhatsApp
(No video or voice call):
sudo ufw allow out 443/tcp comment “WhatsApp”
sudo ufw allow out 5222/tcp comment “WhatsApp”Git:
sudo ufw allow out 9418/tcp comment “Git”Some services like Discord,
Zoom,
or WhatsApp voice and video calls require a wide range of UDP ports, you
may open these at your own discretion.
Lenient Mode:
Blacklisting
In whitelisting, you block everything and allow specific ports. In
blacklisting, you allow everything and block specific ports.
1. Installing UFW
First, you need to install UFW
sudo apt install ufw2. Blocking the
incoming connections
Make sure you disable UFW because the following commands may
interrupt your connection to your server:
sudo ufw disableIt makes sense to block all incoming connections unless we serve
specific services. So let’s reject all incoming traffic:
sudo ufw default deny incomingNote that this time you’re not blocking all outgoing connections.
This allows your users to connect to any port they’d like. This is not
advisable unless you absolutely trust your users.
3.
Allowing yourself to connect to your server
Now we will allow incoming connections to port 22, which is the port
used for establishing SSH connections to your server. Although it is
always a good idea to change your SSH port to something else:
sudo ufw allow in 22/tcp comment “Allows me to SSH to my server”If you want to Block SSH port to avoid SSH brute force abuse reports,
you can use the following command:
sudo ufw allow out 22/tcp comment “Block Outgoing SSH ”4. Block BitTorrent
Using the same logic, you need to block ports that are used for
BitTorrent. However, since there are multiple ports for this, you need
to do your research and block public tracker IPs as well as the ports
that are normally used for BitTorrent.
If you have any questions, don’t hesitate to contact us by submitting a
ticket.