Networking & Security

Ports, Firewalls
& Linux Security

How hackers see your server. What ports are. How firewalls work. How to harden SSH. And how DNS translates google.com into an IP address in 20 milliseconds.

Sections

6

Read time

25 min

Level

Beginner

What is a Port?

Your server has one IP address. But many different services run on it simultaneously — SSH, a web server, a database. How does the server know which incoming connection goes to which service? Ports.

💡
Think of it this way...
IP address = the building address (192.168.64.3)
Port = the apartment number

192.168.64.3:22 → apartment 22 → SSH lives here
192.168.64.3:80 → apartment 80 → web server lives here
192.168.64.3:5432 → apartment 5432 → PostgreSQL database lives here

When you SSH in: your Mac says "I want to connect to 192.168.64.3, apartment 22"
🤯

Did You Know?

Ports 1–1024 are “privileged” — only root can open them. That's why web servers need root or special capabilities to listen on port 80. Ports 1025–65535 are “unprivileged” — any user can open them.
💡

Key Takeaway

A port is just a number. It tells the OS "this incoming connection is for THAT service." Without ports, a server could only run one service at a time.

Well-Known Port Numbers

These are standardized — every Linux server uses the same ones. Memorize the common ones:

22SSHRemote terminal access. How you connect from your Mac to your server.
80HTTPUnencrypted web traffic. When you visit http://...
443HTTPSEncrypted web traffic. The padlock in your browser.
53DNSDomain name lookups. Every DNS query uses this port.
25SMTPEmail sending. Old and often blocked by ISPs.
3306MySQLMySQL database server.Sensitive
5432PostgreSQLPostgreSQL database server.Sensitive
6379RedisRedis cache database. Should never be public.Sensitive
8080HTTP-altAlternative HTTP. Used in dev/testing.
⚠️

Warning

Ports 3306, 5432, 6379 — these should only be accessible from within your server or your private network. A database exposed to the internet is a catastrophic security risk. ufw blocks these by default.

Firewalls & ufw

By default, your server accepts connections on ANY port that has a listening service. A firewall sits in front of all those ports and enforces rules — only letting in what you explicitly allow.

❌ WITHOUT firewall

Anyone → port 22 → SSH ✓ connects

Anyone → port 80 → web ✓ connects

Anyone → port 5432 → DB ✓ connects 😱

✅ WITH ufw

Anyone → port 22 → ALLOW ✓

Anyone → port 80 → ALLOW ✓

Anyone → port 5432 → DENY ✗ blocked

ufw commands

Terminal
▶️

Click the Play button above to start!

Watch the commands execute step by step

💡

Key Takeaway

Default ufw policy when enabled: DENY all incoming, ALLOW all outgoing. You explicitly allow what you need. Everything else is blocked.

SSH Hardening

SSH on default settings works but isn't maximally secure. Hardening means changing /etc/ssh/sshd_config to make it harder to attack.

PermitRootLogin no

Attacker must first compromise a normal user, then escalate — two steps instead of one.

PasswordAuthentication no

Only SSH keys allowed. Keys are mathematically impossible to brute-force. Passwords can be guessed.

MaxAuthTries 3

Disconnect after 3 wrong attempts. Limits how fast an attacker can try passwords.

LoginGraceTime 20

Disconnect if not logged in within 20 seconds. Frees connections from automated scanners.

AllowUsers charith

Only this specific user can SSH in. Even if an attacker creates another account, they can't SSH.

Terminal
▶️

Click the Play button above to start!

Watch the commands execute step by step

Fail2ban

Even with hardening, attackers will still try. Fail2ban watches your logs and automatically bans IPs that fail too many times.

How Fail2ban works:

Attacker tries password 1 → fail → logged in /var/log/auth.log

Attacker tries password 2 → fail → logged

Attacker tries password 3 → fail → logged

Fail2ban reads log → "this IP failed 3 times"

Fail2ban adds rule → IP 1.2.3.4 BANNED for 1 hour

Attacker tries password 4 → connection REFUSED ✓

Terminal
▶️

Click the Play button above to start!

Watch the commands execute step by step

🤯

Did You Know?

Any public-facing Linux server receives hundreds of automated SSH login attempts per day. This isn't personal — bots constantly scan the entire internet looking for weak servers. Fail2ban, SSH hardening, and ufw work together to make these attempts useless.

DNS — The Internet's Phonebook

Every website has an IP address. Google is at 142.250.80.46. But nobody remembers that. DNS (Domain Name System) translates domain names into IP addresses automatically.

💡
Think of it this way...
You want to call your friend but only know their name, not their number.

You → phonebook → "what's John's number?"
Phonebook → "John's number is 555-1234"
You → call 555-1234

DNS is the phonebook. Domain names are names. IP addresses are phone numbers.

How DNS resolution works step by step

1

You type google.com in your browser

Browser asks the OS: what's google.com's IP?

2

OS asks the local DNS resolver

On Ubuntu servers, that's systemd-resolved at 127.0.0.53:53

3

Local resolver checks its cache

Recently looked up? Return cached answer immediately. Otherwise...

4

Asks a Root DNS server

"Who handles .com domains?"

5

Root says 'ask Verisign'

Verisign handles all .com registrations

6

Verisign says 'ask Google's nameserver'

google.com's own authoritative nameserver

7

Google says '142.250.80.46'

The actual IP address

8

Your browser connects to 142.250.80.46

All of this takes ~20–50ms. You never see it.

Terminal
▶️

Click the Play button above to start!

Watch the commands execute step by step

💡

Key Takeaway

Port 53 is the DNS port. Your Ubuntu server runs a local DNS resolver (systemd-resolved) at 127.0.0.53:53 — so when apt needs to find archive.ubuntu.com, it uses its own local DNS first.

Key Concepts Flashcards

Click any card to flip and reveal the definition.

What is a port?

A number (1–65535) that identifies which service on a server an incoming connection wants. IP = building address, Port = apartment number.

What port does SSH use?

Port 22. HTTP = 80, HTTPS = 443, MySQL = 3306, PostgreSQL = 5432. Ports 1–1024 are 'privileged' — only root can open them.

What is ufw?

Uncomplicated Firewall — Ubuntu's firewall tool. When enabled: blocks all incoming by default, allows all outgoing. You explicitly allow what you need: sudo ufw allow 22

What is SSH hardening?

Changing /etc/ssh/sshd_config to make SSH harder to attack: PermitRootLogin no, PasswordAuthentication no, MaxAuthTries 3, AllowUsers charith

What is Fail2ban?

Watches auth logs for failed login attempts. After too many failures from one IP, it automatically adds a firewall rule to ban that IP. Stops brute-force attacks automatically.

What is DNS?

Domain Name System — the internet's phonebook. Translates domain names to IP addresses. You type google.com, DNS returns 142.250.80.46. All happens in ~20ms automatically.

What is systemd-resolved?

A local DNS resolver that runs on Ubuntu servers (listens on 127.0.0.53:53). It caches DNS results for the server itself and handles lookups when apt, curl, etc need to find servers.