Why deny incoming by default?

Because every open port is something an attacker can probe, and a fresh server often has more listening than you think - a database, a metrics endpoint, a dev server. Denying all incoming traffic by default and then allowing only the handful of ports you actually serve means the rest of the machine is simply unreachable from the internet, no matter what is running on it. It is the single highest-leverage thing you can do to harden a box.

Will enabling the firewall lock me out of SSH?

Only if you forget to allow your SSH port first - which is why the generated commands always allow SSH before enabling the firewall. Double-check the SSH port matches what you actually use (especially if you moved it off 22), keep a second session open the first time you enable it, and if your provider has a web console you can recover there if something goes wrong.

What does rate-limiting SSH do?

ufw limit on the SSH port blocks an address that makes too many connection attempts in a short window - the standard defense against brute-force password guessing. Combined with key-only authentication, it makes automated SSH attacks, which hit every public server constantly, a non-issue.

Free tool · Runs in your browser

Lock down your server.

A fresh box listens on more than you think, and every open port is an invitation. Pick what you actually serve and get UFW commands that deny everything else by default — the single highest-leverage thing you can do to harden a server you own.

SSH port

Restrict SSH to this IP (optional)

Allow HTTP (80) Allow HTTPS (443) Rate-limit SSH (brute-force protection)

Other ports to allow (comma-separated)

Every open port is a door

Hardening a server sounds like a project; the firewall is the 80/20. Internet-wide scanners hit every public IP constantly, cataloguing open ports and the software behind them, and the things that get breached are almost always things that didn't need to be reachable in the first place — a database on a default port, an admin panel, a forgotten dev server. Deny-by-default makes all of that simply invisible, and you allow back only the two or three ports you actually serve.

Setting it once is a copy-paste. Knowing the policy is still in place on every host, that a deploy didn't quietly open a port, and that the box matches the rules you intended — that ongoing assurance, across everything you run, is the part a control plane keeps honest.

Related free tools

SSH hardening generatorLock down sshd_config Security headers checkerGrade your headers Secrets scannerFind leaked secrets

All free tools →

Close the doors. Keep them closed.

Infraveil watches the security posture of every host you own — ports, rules, and drift — and proves it stayed locked down with a tamper-evident record, so a one-time hardening doesn't quietly come undone.

See how it works

Get the server-hardening playbook

Firewall, SSH, and the basics that stop most attacks on a box you own. No spam.