The principle of least privilege (PoLP) is one of the cornerstones of cybersecurity. It ensures that users, systems, and processes only have the minimum permissions they need to perform their tasks. This reduces the attack surface and minimizes the risk of breaches.
In this article, we will explore PoLP through the practical setup of firewall rules on a Linux server using the open-source tool, UFW (Uncomplicated Firewall). By understanding how to apply these principles, one can gain skills essential for landing one’s next role in cybersecurity.
Install and Enable UFW
Prerequisites
Before diving into the setup, ensure you have:
- A basic understanding of Linux command-line operations.
- Access to a Linux server (Ubuntu/Debian-based systems work best for UFW).
- An account with sudo privileges.
Installation
It may be already present on your machine but in case its not, below is the command to install it.
Now, we need to enable it
To verify, we can run below command
From the output shared above, it is clear that incoming is set to “deny” so that no unauthorized access is allowed unless explicitly permitted. And, outgoing connections are allowed.
Allow Essential Services
Identify the services your server needs to provide. For example, if it’s a web server, you’ll likely need to allow HTTP (port 80) and HTTPS (port 443) traffic. Also, you would like to enable ssh port 22 otherwise you won’t be able to ssh into your machine.
Below will be the command to allow traffic on these ports
After allowing traffic for these ports, if we check status again, then it will look something like this
Restrict SSH Access
As you saw above that we allowed traffic on port 22 because otherwise we were going to lose access to our machine if there were not any other means to connect with it but doing so has exposed this port for everyone who knows the IP address of the machine and threat actors can try to bruteforce the password of our ssh authentication and may even be able to access it after guessing the password. Now the question is, how can we even restrict it to only a few people who can access this machine? And the answer to this question is that we can restrict the IPs who try to access this machine using our firewall. Limit SSH to specific IP addresses (e.g., your office or home IP) using below command
In the above command, we will enter our own IP and the ssh port which is already configured on the machine. It does not need to be a 22 port every time. It can be any non-standard SSH port.
Test Firewall Rules
Testing is critical to ensure your setup follows PoLP. Use tools like nmap to test open ports. You can install nmap using the below command on linux.
For MacOS, you can use brew to install it.
After installing nmap, we can run it and it will tell us about the open ports on our machine which can be used to verify our firewall rules. i.e.
As you can see, only those ports are open which are opened by us specifically for our use. That is how we limit the ports exposure for the rest of the world and secure our machines.
Rate Limiting
We limited the source IPs who can access our machines but let’s say we want to keep it open for the whole world but we do not want anyone to bruteforce our machine, to handle this case, we will apply rate limiting rules through our firewall. We can achieve this by running below command
This restricts connections to six attempts in 30 seconds. If an IP exceeds this rate, further attempts are blocked temporarily. The rule now looks like this (see Action column)
Segmenting Network Access by IP Range
Another way to enforce least privilege is by allowing access only to specific IP ranges. For example, if a mysql service should only be accessible to a specific subnet (e.g., a corporate network with the range 192.168.1.0/24):
This restricts access to the MySQL database port (3306) only to users in the specified subnet.
Allow/Deny Specific Protocols
Sometimes, you might want to limit traffic to specific protocols like ICMP (ping). Allowing ICMP can help with network diagnostics.
Or, we can block ICMP for increased stealth of our network e.g.
Conclusion
In conclusion, mastering the principle of least privilege and applying it through tools like UFW is a critical step toward building a secure infrastructure. By restricting access to only what is necessary, regularly auditing rules, and leveraging advanced features like rate limiting and IP-based segmentation, you not only minimize vulnerabilities but also develop hands-on expertise highly valued in cybersecurity roles. Take these concepts, apply them to real-world scenarios, and solidify your path toward becoming a cybersecurity professional.
Leave a Reply