What you will set up
By the end, your offshore VPS will have a working firewall. It will block traffic you don’t want, while still letting in SSH (so you can log in) and your website (ports 80 and 443).
Do one step at a time. The golden rule: allow SSH before you turn the firewall on, and keep one terminal window open until you are sure you can still log in. That way you can never lock yourself out.
Before you start
The goal: set up a firewall on your offshore VPS that blocks everything by default, then opens only the ports you actually use.
We will use ufw (Uncomplicated Firewall). It is the easiest firewall tool on Ubuntu and Debian, and it sits on top of the system’s built-in iptables.
- Keep your server IP, username, and password (or SSH key) ready.
- Know how to open the VPS console in your hosting panel — this is your safety net if SSH ever stops working.
- Open a notes file and write down every rule you add.
- Keep one SSH terminal open the whole time. Do not close it until you have tested that a fresh login still works.
Where does each change happen?
Almost everything here happens in one place: your SSH terminal on the VPS. Here is the simple rule:
- Firewall rules → the SSH terminal, using
ufwcommands. - If you get locked out → the VPS console in your hosting panel.
- Checking which ports are open → the SSH terminal, using
ss.
The steps
Run these only on your own server. If your server uses a managed panel, check with support before changing system-level settings.
Step 1: Install ufw and set safe defaults
First install ufw. Then set it to block all incoming traffic by default, but allow your server to reach out (so updates and your website still work). Setting defaults does not turn the firewall on yet — that comes later.
apt install ufw -y
ufw default deny incoming
ufw default allow outgoingCheck: each command should print a short confirmation like “Default incoming policy changed to ‘deny’”.
Step 2: Allow the ports you actually need
This is the most important step. Allow SSH first, before anything else, so you keep your way in. Then allow the web ports: 80 for HTTP and 443 for HTTPS.
ufw allow OpenSSH
ufw allow 80/tcp
ufw allow 443/tcpCheck: each command prints “Rules updated”. If you don’t run a website, you can skip the 80 and 443 lines.
Step 3: Turn the firewall on
Now switch it on. It will warn that this may disrupt SSH — that is fine, because you allowed SSH in Step 2. Type y to continue.
ufw enableCheck: it should say “Firewall is active and enabled on system startup”. Do not close your terminal yet — first open a second SSH session to confirm you can still log in.
Step 4: Check the rules
Look at exactly what is allowed. This confirms SSH, 80, and 443 are open and everything else is blocked.
ufw status verboseCheck: you should see “Status: active”, the default set to deny incoming, and your allowed ports listed.
Extra commands you may need
Run these only on your own server. If your server uses a managed panel, check with support before changing system-level settings.
See which ports are actually listening
ss -tulpnThis shows every port your server is really listening on, and which program owns it. Useful for spotting a service you forgot about — if a port is listening but you never allowed it in ufw, it stays blocked from the outside.
List rules with numbers (so you can delete one)
ufw status numberedThis shows each rule with a number next to it. To remove a rule, use that number, for example ufw delete 3. Always run the numbered list again afterwards to confirm.
Keep short notes as you go
While you work, jot down each rule: what you opened, why, and the time. For example: “Allowed 443/tcp for HTTPS at 10:30, website still loads.” It sounds small, but it saves a lot of confusion later when you wonder why a port is open.
If you run firewall commands, paste the output into your notes too. Then if you ask support for help, you can show the exact command, the exact result, and the exact time.
If a step fails, how to undo it
Always have a way back. The safest move is to allow SSH again from the VPS console with ufw allow OpenSSH. To remove a single rule, use ufw status numbered then ufw delete N. If you ever need to start over, ufw reset clears all rules — just remember to allow SSH again before re-enabling. Don’t change ten things at once.
How to test after setup
- Open a second SSH session to the server — you should still be able to log in.
- Open your website in a private browser window over HTTPS.
- Run
ufw status verboseand confirm only the ports you wanted are open. - Run
ss -tulpnand check nothing unexpected is listening. - Check the HTTPS padlock loads with no browser warning.
- Only after all of this passes, close your original terminal.
Quick troubleshooting
| Problem | Likely reason | What to do |
|---|---|---|
| Locked out of SSH | SSH was not allowed before enabling | Open the VPS console and run ufw allow OpenSSH |
| Website won’t open | Web ports are still blocked | Run ufw allow 80/tcp and ufw allow 443/tcp |
| A rule won’t delete | Using the wrong format or number | Run ufw status numbered, then ufw delete N |
Final checklist
- ufw installed.
- Default set to deny incoming, allow outgoing.
- SSH allowed before enabling.
- Web ports (80 and 443) allowed if needed.
- Firewall enabled and a fresh SSH login confirmed.
OffshoreKaka offers privacy-friendly VPS servers for people who want full root control and reliable performance.
FAQ
Can I follow this without much experience?
Yes — just allow SSH before you enable the firewall, and keep one terminal open until you have tested a fresh login. If you are not comfortable with SSH, pick managed hosting or ask support to set it up.
Will a firewall improve my Google ranking?
Not on its own. A firewall keeps your server safer and more stable, which supports SEO, but your content and backlinks are what actually decide your ranking.
What should I send to support if something breaks?
Send your server IP, the output of ufw status verbose, the exact error or what you can’t reach, and the last rule you changed.