Cloud Firewall and Security Group Checklist

halfbrain_logo512adminJune 15, 2026
7 lượt xem

Cloud Firewall and Security Group Checklist

Cloud firewall rules and security groups decide what traffic can reach your VPS from the internet. They are different from application passwords and different from Nginx routing. This checklist helps you design safe network exposure.

Core principle

Only expose what must be public. Everything else should be private, local or protected behind a reverse proxy, VPN or access control.

Checklist

  1. List services running on the server.
  2. Mark which services need public access.
  3. Allow SSH only as needed.
  4. Allow HTTP and HTTPS for websites.
  5. Do not expose database ports publicly.
  6. Do not expose internal Docker app ports unless required.
  7. Use Nginx reverse proxy for dashboards when possible.
  8. Review provider firewall and UFW together.
  9. Document every open port.
  10. Review rules after every new service deployment.

Reusable lesson

Security starts with reducing exposed surface. If attackers cannot reach a service, they have fewer ways to abuse it.

Checklist Type Security
Level Intermediate
Risk Level High Risk
Estimated Time 30–60 minutes

When to Use This Checklist

Use this checklist when configuring provider firewall, UFW, security groups or network exposure for a VPS.

Required Tools

Cloud provider firewall, UFW, SSH access, service list, Nginx, Docker port list, recovery console

Before You Start

Make sure you have console recovery access before tightening SSH or firewall rules.

Structured Checklist Steps

  1. List services.
  2. Identify public services.
  3. Allow SSH intentionally.
  4. Allow HTTP.
  5. Allow HTTPS.
  6. Block database ports.
  7. Block internal app ports.
  8. Use reverse proxy.
  9. Review UFW and provider firewall.
  10. Document open ports.

Verification Steps

  1. Only required ports are open.
  2. Website still loads.
  3. SSH still works.
  4. Database is not public.
  5. Docker internal ports are protected.
See also  ERR_CONNECTION_REFUSED Checklist for VPS Websites

Rollback Plan

If firewall changes block access, use provider console to restore previous rules or temporarily disable the restrictive rule.

Common Mistakes

  • Opening all ports.
  • Exposing MySQL publicly.
  • Forgetting provider firewall and UFW can both apply.
  • Exposing Docker dashboards directly.
  • No documentation of open ports.

Related Commands

sudo ufw status numbered
sudo ss -tulpn
sudo ufw allow 80
sudo ufw allow 443
sudo ufw deny 3306
docker ps

Share:

Disclaimer: The guides, checklists, commands, and examples on HalfBrain.net are provided for educational and operational reference only. Server environments, hosting providers, software versions, security settings, and WordPress configurations can vary, so you should always review commands before running them on your own system. We do our best to keep the content accurate and useful, but we cannot guarantee that every command, configuration, or recommendation will fit every environment. Always back up your website, database, and server configuration before making changes. HalfBrain.net is not responsible for data loss, downtime, security incidents, misconfiguration, or other issues that may result from applying the information on this website. Use the material at your own discretion.

halfbrain_logo512
admin

HalfBrain.net is a practical field notebook for people who want to self-operate websites, VPS servers, Linux systems, Docker stacks, Nginx configurations, DNS records, SSL certificates, and AI automation workflows. Our goal is simple: turn messy infrastructure problems into clear, repeatable checklists, commands, and operating procedures. We focus on practical execution, not theory for theory’s sake.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related articles: