💎 Earn 45%—Join Hostman Affiliate Program!
SupportContact Sales
English
Solutions
Community
Sign In
Sign In

How to Set Up a Firewall with UFW on Ubuntu

How to Set Up a Firewall with UFW on Ubuntu
Mohammad Waqas Shahid
Technical writer
Ubuntu Firewall
02.04.2024
Reading time: 11 min
Share

In this comprehensive tutorial, users are guided through the process of setting up a robust firewall using the Uncomplicated Firewall (UFW) on Ubuntu. UFW provides an intuitive interface for managing netfilter firewall rules, offering an accessible solution for securing Ubuntu systems effectively.

Introduction to UFW

UFW, or Uncomplicated Firewall, is a user-friendly interface for managing iptables, the standard firewall management tool for Linux systems. It simplifies the process of creating and managing firewall rules, making it accessible even to users with limited networking knowledge.

Understanding Firewall Basics

Before diving into the configuration process, it's essential to understand some fundamental concepts related to firewalls and how they operate.

What is a Firewall?

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks, such as the internet.

On Hostman, you can set up a cloud firewall that provides cutting-edge defense tailored for businesses of all sizes.

Types of Firewalls

There are several types of firewalls, including packet-filtering firewalls, stateful inspection firewalls, proxy firewalls, and application layer firewalls. Each type operates differently but serves the common purpose of protecting networks and systems from unauthorized access and malicious activity.

Creating Account and Server on Hostman

To kick off the process, prospective server hosts are encouraged to visit the official Hostman website. Sign up for a new account by providing essential details and create a strong password. Following this, check your email for a verification link, click on it, and swiftly log in to your Hostman account.

Image1

Within the Hostman control panel, the user-friendly interface offers to start a new server. By navigating to the Create button, users can initiate the server creation process. Select the parameters you need, including software (for the purposes of this guide, we need a server with the Ubuntu operating system), configuration, geographical region, and backups, choose the project for this server, then click Order to create your server. 

The server will be installed in a couple of minutes and you will see the server's dashboard. Later on, to find your server you can go directly to Cloud servers or to the project the server is added to. 

234567

Click on your server, start it by the play button and scroll down to see the SSH command and root password for your Ubuntu server.

593f4dc2 53df 4468 8352 F2309e4ffb7f

Accessing Your Server

Access the server through the web-based terminal provided by Hostman or use preferred SSH client. For this tutorial accessing through SSH is used.

Image5

Updating System Packages

The following code is to be written in terminal to update system packages of Ubuntu:

sudo apt-get update
sudo apt-get upgrade

Image7

Type “y” and hit Enter.

Did you know?

Some architectures combine Kubernetes managed services for stateless applications with an Ubuntu server for background jobs and system-level tasks. Hostman offers low priced tariffs for Linux VPS.

After the upgrade, the following screen may appear. (If there is nothing to upgrade on your server, i/e. you already had the latest versions of the installed packages, you will not see this window and can proceed to the next step.)

Image6

In this popup, you are prompted to select which services should be restarted after the installation process. The services listed are part of the systemd system and are related to various system functionalities.

Here's a brief explanation of the options:

  • systemd-journald.service: The journal service, which handles system logs.

  • systemd-logind.service: The login service, which manages user logins.

  • systemd-manager: The service manager for the system.

  • systemd-networkd.service: The network service, responsible for network configuration.

  • systemd-resolved.service: The DNS resolver service.

  • systemd-timesyncd.service: The time synchronization service.

  • unattended-upgrades.service: A service for automatically applying package updates.

  • user@0.service: A user-specific service (user 0 refers to the root user).

Given the importance of network-related services for firewall functionality, it is recommended to restart the following services after the upgrade:

  • systemd-networkd.service: This service is responsible for network configuration. Restarting it ensures that any changes made during the upgrade, particularly those related to networking or firewall rules, take effect.

  • systemd-resolved.service: The DNS resolver service handles DNS resolution. Restarting it is advisable if there were changes to DNS configurations or updates to the DNS resolver service, which could impact firewall rules that rely on domain name resolution.

  • systemd-timesyncd.service: The time synchronization service ensures accurate timekeeping on the system. Proper time synchronization is crucial for security measures such as certificate validation and timestamping of firewall logs.

These services are crucial for maintaining system functionality and security, especially in the context of firewall configuration. 

Installing UFW on Ubuntu

Before starting the firewall configuration, it's essential to ensure that UFW is installed on your Ubuntu system. Here's how to do it:

Checking UFW Installation Status

Open the terminal and run the following command to check if UFW is installed:

sudo ufw status

You should see the status Active (running). If the status is inactive, start the service using the command:

sudo ufw enable

If UFW is not installed, the terminal will output the message Command ‘ufw’ not found. Follow the instruction below to install it.

Installing UFW

Install UFW by executing the following commands in the terminal:

sudo apt update
sudo apt install ufw

After completing the installation, recheck the status by typing:

sudo ufw status

Did you know?

Backend services commonly use MySQL hosting solutions to simplify backups and updates. Application logic and APIs can then be deployed as cloud apps on a managed Application Platform with minimal operational effort.

Basic Firewall Configuration with UFW

Once UFW is installed, it's time to configure the basic firewall settings. Here's how to get started:

Enabling UFW

Activate UFW by running the following command in the terminal:

sudo ufw enable

You will receive a confirmation message indicating that the firewall is now operational.

Allowing SSH Access

If SSH access is not permitted by default, allow SSH connections using the command:

sudo ufw allow ssh

Permitting Specific Ports

To enable specific ports for various services such as web servers or database servers, use the command:

sudo ufw allow <port_number>

Replace <port_number> with the designated port number you wish to allow.

Advanced UFW Configuration

For advanced users looking to customize their firewall settings, UFW offers a range of configuration options:

Denying Incoming Connections

For enhanced security, deny all incoming connections by default and allow only designated ones:

sudo ufw default deny incoming

Allowing Outgoing Connections

Allow all outgoing connections by default:

sudo ufw default allow outgoing

Implementing Custom Rules

Define custom rules based on specific requirements:

sudo ufw <rule>

Below are examples of configuring custom rules in UFW for various scenarios, including allowing SSH, HTTP/HTTPS, specifying port ranges, and denying access based on IP addresses or subnets:

Allowing SSH Connections

To allow SSH connections, you can use the service name or specify the port number:

sudo ufw allow ssh

Or:

sudo ufw allow 22

Allowing HTTP and HTTPS Connections

To allow HTTP and HTTPS traffic, use the respective service names or port numbers:

sudo ufw allow http
sudo ufw allow https

Or:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

Allowing Access to a Specific Port Range

To allow access to a range of ports, specify the port range:

sudo ufw allow 8000:9000/tcp

Allowing Access from Specific IP Addresses or Subnets

To allow access from specific IP addresses or subnets, specify the IP address or subnet:

sudo ufw allow from 192.168.1.100
sudo ufw allow from 192.168.0.0/16

Denying Access to a Specific Port

To deny access to a specific port, use the deny command:

sudo ufw deny 1234

Denying Access from Specific IP Addresses or Subnets

To deny access from specific IP addresses or subnets, use the deny command:

sudo ufw deny from 10.0.0.1
sudo ufw deny from 172.16.0.0/24

Denying All Incoming Connections (Except Allowed Ones)

To deny all incoming connections by default and allow only specific ones, use the default deny command:

sudo ufw default deny incoming

Allowing All Outgoing Connections

To allow all outgoing connections by default, use the default allow command:

sudo ufw default allow outgoing

These examples demonstrate how to configure custom rules in UFW for different scenarios, including allowing or denying access based on services, ports, IP addresses, and subnets. Customise these rules according to your specific requirements to enhance the security and control of your firewall configuration.

A Brief Guide for Requirements for Custom Rules

Following is a brief elaboration on which requirements may necessitate specific customizations in firewall rules to enhance security and control:

  1. Requirement: Secure Remote Access

Allowing SSH access (port 22) for remote administration while restricting access from specific IP addresses or subnets to prevent unauthorised access.

  1. Requirement: Hosting Web Services

Allowing HTTP (port 80) and HTTPS (port 443) traffic to host web services, while potentially restricting access to specific IP addresses or subnets to limit exposure to the public internet.

  1. Requirement: Application with Specific Port Range

Allowing access to a range of ports required by a specific application (e.g., ports 8000-9000) while denying access to all other ports to reduce attack surface.

  1. Requirement: Network Segmentation

Defining rules to allow communication between different segments of the network while denying access from external networks to sensitive segments to enforce network segmentation and control.

  1. Requirement: Denial of Service (DoS) Protection

Implementing rate-limiting rules to mitigate DoS attacks by limiting the number of incoming connections per second from specific IP addresses or subnets.

  1. Requirement: Compliance with Regulatory Standards

Implementing firewall rules to enforce compliance with regulatory standards (e.g., PCI DSS, HIPAA) by restricting access to sensitive data and ensuring secure communication channels.

  1. Requirement: Log Monitoring and Analysis

Enabling logging for specific firewall rules to monitor and analyze network traffic for security incidents, compliance audits, and troubleshooting purposes.

  1. Requirement: Application-Specific Rules

Defining application-specific rules based on the requirements of the deployed applications, such as allowing access to database ports only from application servers.

  1. Requirement: BYOD (Bring Your Own Device) Policies

Implementing rules to allow access for authorised devices while restricting access for unauthorised devices based on device attributes or user credentials.

  1. Requirement: High Availability and Failover

Configuring redundant firewall rules across multiple firewall instances to ensure high availability and failover in case of hardware or network failures.

These customizations align with best practices and address specific requirements to enhance security, control, and compliance in firewall configurations without technical errors or inaccuracies.

Cloud tip:

For test deployments and small projects, consider renting a server with minimum configuration that scales smoothly as your needs grow.

Testing Firewall Configuration

After configuring the firewall, it's essential to verify that the rules are applied correctly and test connectivity:

Verifying Firewall Rules

Ensure the correct application of firewall rules:

sudo ufw status verbose

Testing Connectivity

Conduct connectivity tests to verify that permitted connections function as intended. Users can do this by attempting to establish connections to services running on the system from both local and remote hosts.

Monitoring and Managing UFW

Once the firewall is configured, it's important to monitor and manage UFW to ensure optimal security.

Checking UFW Status

Monitor the status of UFW at any time:

sudo ufw status

Disabling UFW

Temporarily disable UFW when necessary:

sudo ufw disable

Logging Firewall Activity

Enable logging to monitor firewall activity and identify potential security threats:

sudo ufw logging on

Conclusion

Implementing a firewall using UFW on Ubuntu is crucial for enhancing system security and safeguarding against potential threats. By following the steps outlined in this tutorial, users can effectively configure and manage their firewall settings, ensuring the protection of their Ubuntu systems. With UFW's user-friendly interface and powerful capabilities, users can easily create and enforce firewall rules to control network traffic and prevent unauthorized access. By understanding the basics of firewalls and utilizing the advanced configuration options provided by UFW, users can create a robust defense against cyber threats.

By the way, with Hostman, you can run your workloads on an efficient Amsterdam VPS that support low latency for EU-based users. Check this out, we have plenty of budget VPS hosting options for your projects.

Ubuntu Firewall
02.04.2024
Reading time: 11 min
Share

Similar

Ubuntu

How to Install VNC on Ubuntu

If you need to interact with a remote server through a graphical interface, you can use VNC technology.Through a network, users can connect remotely to a server using VNC (Virtual Network Computing). It employs the RFB protocol to send screen images and input data from different devices (such keyboards and mice) and runs on a client-server architecture. Ubuntu, Windows, macOS, and other operating systems are among those that VNC supports. The ability to connect several users at once is another benefit of VNC, which can be helpful for group tasks or training sessions. Choose your server now! And if you’re looking for a reliable, high-performance, and budget-friendly solution for your workflows, Hostman has you covered with Linux VPS Hosting options, including Debian VPS, Ubuntu VPS, and VPS CentOS. In this guide, we will describe how to install VNC on Ubuntu, using a Hostman cloud server with Ubuntu 22.04 as an example. Finished installation of VNC on Ubuntu Step 1: Preparing to Install VNC Before starting the installation process on both the server and the local machine, there are a few prerequisites to review.  Here is a list of what you’ll need to complete the installation: A Server Running Ubuntu 22.04. In this guide, we will use a cloud server from Hostman with minimal hardware configuration. Hostman's plan selection in admin panel A User with sudo Privileges. You should perform the installation as a regular user with administrative privileges. Select a Graphical Interface. You’ll need to choose a desktop environment that you will use to interact with the remote server after installing the system on both the server and the local machine. A Computer with a VNC Client Installed.  At the moment, the console is the sole method of communication with a rented server running Ubuntu 22.04. You must install a desktop environment and VNC on the server in order to enable remote management through a graphical interface. The desktop environments and VNC servers that are compatible with Ubuntu servers are listed below. VNC Servers: TightVNC Server. One of the most popular VNC servers for Ubuntu. It is easy to set up and offers good performance. RealVNC Server. RealVNC provides a commercial solution for remote access to servers across various Linux distributions, including Ubuntu, Debian, Fedora, Arch Linux, and others. Desktop Environments: Xfce. A lightweight and fast desktop environment, ideal for remote sessions over VNC. It uses fewer resources than heavier desktop environments, making it an excellent choice for servers and virtual machines. GNOME. The default Ubuntu desktop environment, offering a modern and user-friendly interface. It can be used with VNC but will consume more resources than Xfce. KDE Plasma. Another popular desktop environment that provides a wide range of features and a beautiful design. The choice of VNC server and desktop environment depends on the user’s specific needs and available resources. TightVNC and Xfce are excellent options for stable remote sessions on Ubuntu, as they do not require high resources. In the next step, we will describe how to install them on the server in detail. Step 2: Installing the Desktop Environment and VNC Server To install the VNC server on Ubuntu along with the desktop environment, connect to the server and log in as a regular user with administrative rights. Update the Package List  After logging into the server, run the following command to update the packages from the connected repositories: sudo apt update Install the Desktop Environment  Next, install the previously selected desktop environment. To install Xfce, enter: sudo apt install xfce4 xfce4-goodies Here, the first package provides the basic Xfce desktop environment, while the second includes additional applications and plugins for Xfce, which are optional. Install the TightVNC Server  To install TightVNC, enter: sudo apt install tightvncserver Start the VNC Server  Once the installation is complete, initialize the VNC server by typing: vncserver This command creates a new VNC session with a specific session number, such as :1 for the first session, :2 for the second, and so on. This session number corresponds to a display port (for example, port 5901 corresponds to :1). This allows multiple VNC sessions to run on the same machine, each using a different display port. This command will ask you to create a password during the initial setup, which is necessary for users to access the server's graphical user interface. Don't forget to verify your password to run VNC on Ubuntu Set the View-Only Password (Optional)  After setting the main password, you’ll be prompted to set a password for view-only mode. View-only mode allows users to view the remote desktop without making any changes, which is helpful for demonstrations or when limited access is needed. If you need to change the passwords set above, use the following command: vncpasswd Now you have a VNC session. VNC on Ubuntu is running In the next step, we will set up VNC to launch the Ubuntu server with the installed desktop environment. Step 3: Configuring the VNC Server The VNC server needs to know which desktop environment it should connect to. To set this up, we’ll need to edit a specific configuration file. Stop Active VNC Instances  Before making any configurations, stop any active VNC server instances. In this guide, we’ll stop the instance running on display port 5901. To do this, enter: vncserver -kill :1 Simple command to stop VNC running on Ubuntu Here, :1 is the session number associated with display port 5901, which we want to stop. Create a Backup of the Configuration File  Before editing, it’s a good idea to back up the original configuration file. Run: mv ~/.vnc/xstartup ~/.vnc/xstartup.bak Edit the Configuration File  Now, open the configuration file in a text editor: nano ~/.vnc/xstartup Replace the contents with the following: #!/bin/bashxrdb $HOME/.Xresourcesstartxfce4 & #!/bin/bash: This line is called a "shebang," and it specifies that the script should be executed using the Bash shell. xrdb $HOME/.Xresources: This line reads settings from the .Xresources file, where desktop preferences like colors, fonts, cursors, and keyboard options are stored. startxfce4 &: This line starts the Xfce desktop environment on the server. Make the Configuration File Executable To allow the configuration file to be executed, use: chmod +x ~/.vnc/xstartup Start the VNC Server with Localhost Restriction Now that the configuration is updated, start the VNC server with the following command: vncserver -localhost The -localhost option restricts connections to the VNC server to the local host (the server itself), preventing remote connections from other machines. You will still be able to connect from your computer, as we’ll set up an SSH tunnel between it and the server. These connections will also be treated as local by the VNC server. The VNC server configuration is now complete. Step 4: Installing the VNC Client and Connecting to the Server Now, let’s proceed with installing a VNC client. In this example, we’ll install the client on a Windows 11 computer. Several VNC clients support different operating systems. Here are a few options:  RealVNC Viewer. The official client from RealVNC, compatible with Windows, macOS, and Linux. TightVNC Viewer. A free and straightforward VNC client that supports Windows and Linux. UltraVNC. Another free VNC client for Windows with advanced remote management features. For this guide, we’ll use the free TightVNC Viewer. Download and Install TightVNC Viewer Visit the official TightVNC website, download the installer, and run it. Download VNC from official website In the installation window, click Next and accept the license agreement. Then, select the custom installation mode and disable the VNC server installation, as shown in the image below. This is what you need to install Click Next twice and complete the installation of the VNC client on your local machine. Set Up an SSH Tunnel for Secure Connection To encrypt your remote access to the VNC server, use SSH to create a secure tunnel. On your Windows 11 computer, open PowerShell and enter the following command: ssh -L 56789:localhost:5901 -C -N -l username server_IP_address Make sure that OpenSSH is installed on your local machine; if not, refer to Microsoft’s documentation to install it. This command configures an SSH tunnel that forwards the connection from your local computer to the remote server over a secure connection, making VNC believe the connection originates from the server itself. Here’s a breakdown of the flags used: -L sets up SSH port forwarding, redirecting the local computer’s port to the specified host and server port. Here, we choose port 56789 because it is not bound to any service. -C enables compression of data before transmitting over SSH. -N tells SSH not to execute any commands after establishing the connection. -l specifies the username for connecting to the server. Connect with TightVNC Viewer After creating the SSH tunnel, open the TightVNC Viewer and enter the following in the connection field: localhost:56789 You’ll be prompted to enter the password created during the initial setup of the VNC server. Once you enter the password, you’ll be connected to the VNC server, and the Xfce desktop environment should appear. Stop the SSH Tunnel To close the SSH tunnel, return to the PowerShell or command line on your local computer and press CTRL+C. You found out how to install VNC on Ubuntu Conclusion This guide has walked you through the step-by-step process of setting up VNC on Ubuntu 22.04. We used TightVNC Server as the VNC server, TightVNC Viewer as the client, and Xfce as the desktop environment for user interaction with the server. We hope that using VNC technology helps streamline your server administration, making the process easier and more efficient. We're prepared more detailed instruction on how to create server on Ubuntu if you have some trouble deploying it. Or you can use our low-latency US based VPS! Choose your server now! Frequently Asked Questions (FAQ) How to install VNC server on Ubuntu via command line?  The most common lightweight server is TightVNC. To install it, open your terminal and run: Update lists: sudo apt update Install the package: sudo apt install tightvncserver Initialize it (and set a password) by running: vncserver How do I uninstall VNC server on Ubuntu?  To remove the software and your configuration files, follow these steps: Stop the VNC session: vncserver -kill :1 Remove the package: sudo apt remove tightvncserver --purge (Optional) Delete config files: rm -rf ~/.vnc Is VNC secure?  By default, no. VNC traffic is not encrypted, meaning passwords and keystrokes can be intercepted. It is highly recommended to tunnel your VNC connection through SSH rather than opening the VNC port (5901) directly to the internet. Why do I see a gray screen when I connect?  This "gray screen of death" usually means the VNC server doesn't know which desktop environment to load. You need to edit the ~/.vnc/xstartup file and add the command for your desktop (e.g., startxfce4 & for XFCE or gnome-session & for GNOME). Which port does VNC use?  VNC uses port 5900 + Display ID. Display :1 uses port 5901. Display :2 uses port 5902. You must ensure these ports are allowed on your firewall if you are not using an SSH tunnel. What is the difference between TigerVNC, RealVNC, and TightVNC? TightVNC: Lightweight, reliable, and great for slower connections. Very popular for Linux. TigerVNC: A high-performance fork of TightVNC, often faster on modern hardware. RealVNC: Often proprietary/commercial, offers cloud connectivity but is less common for open-source self-hosting.
21 January 2026 · 10 min to read
Ubuntu

User Permissions Management in Ubuntu

Managing user permissions is crucial for system security. Ineffective access configuration often makes a system vulnerable. This guide will show you how to secure your cloud server with simple yet effective methods for managing user accounts. It is particularly useful for novice system administrators and other IT professionals. User permissions in Linux significantly impact system security. Proper configuration makes it harder for attackers to access your system. Basic User Settings Commands can be used to manage system access, creating a set of users who can read, edit, or execute data stored on the server. Ubuntu, as other Linux distributions, uses two basic user units: user and group. Let's see how to create and delete them. Creating a User A user is an individual account capable of executing commands and accessing system data. The simplest way to make a user in Ubuntu is: sudo adduser username The system will prompt you to set a password. Blocking and Deleting a User To block a user, use: sudo usermod -L username To unblock the user, replace -L with -U. To delete a user in Ubuntu: sudo userdel -r username The -r flag also removes the user’s home directory and all their data, a step that is irreversible. To retain the user’s information, omit the -r flag. Creating a Group A group is a collection of one or more accounts that share access to system data. To create a new group, enter: sudo addgroup groupname To check a user’s group memberships, use: groups username To add a user to a group in Ubuntu: sudo usermod -aG groupname username Here, -a means "add" and -G specifies the group. Deleting a Group To delete a group: sudo delgroup groupname Listing All Users and Groups To see a list of all system accounts, use: cat /etc/passwd Similarly, to see all groups: cat /etc/group Viewing User Groups and Permissions The /etc/group file contains information about all system groups and user memberships. To view all groups a user belongs to: groups username To view permissions for using sudo commands, check if the user belongs to the sudo group. Changing User Passwords To change a user’s password: sudo passwd username You will be prompted to enter a new password for the specified account. Usermod and ID Every process in the system is associated with an account identifier, indicating the user who initiated the process. By default, User IDs (UID) from 0 to 999 are reserved for system use, while newly created accounts get IDs starting from 1000. To check a user account’s properties: grep username /etc/passwd To change a user’s UID: usermod -u 2025 username To add a comment to an account: usermod -c "Comment" username To create and change the home directory: mkdir -p /catalog1/catalogusermod -d /catalog1/catalog username To change the login shell: usermod -s /sbin/nologin username Setting the login shell to /sbin/nologin prevents the user from accessing the bash shell. To set a password expiration date: usermod -e "YYYY-MM-DD" username After this date, the user cannot log in. The sudoers File and Root Permissions By default, Ubuntu grants root privileges to users for only 15 minutes to minimize security risks. The sudo command allows users to execute tasks with root privileges. Granting Root Privileges There are two main ways to set root privileges to a user in Ubuntu: Add the user to the sudo group, allowing them to execute commands with elevated privileges. Edit the sudoers file to manually assign privileges. Editing the sudoers File The sudoers file defines who has access to sudo. To edit it safely, use: sudo visudo The default contents look like this: Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" root ALL=(ALL:ALL) ALL %admin ALL=(ALL) ALL %sudo ALL=(ALL:ALL) ALL #includedir /etc/sudoers.d To add a user with root privileges: username ALL=(ALL) NOPASSWD:ALL Save the file with CTRL + X, then Y, and ENTER. Switching to Root User To switch to the root user: sudo su This combines sudo and su, allowing you to operate as the root user without prefacing each command with sudo. Creating Aliases Create user groups for simplified access management: User_Alias ADMINS = user1, user2 Use these aliases to assign permissions in the sudoers file. Interactive and Non-Interactive sudo Use sudo -i to start a shell with root privileges, useful for executing multiple commands: sudo -i File Access Management User permissions for directories and files in Ubuntu can be controlled using various commands. Adding and Removing Permissions To add permissions: chmod +rwx filename To remove permissions: chmod -rwx filename To allow execution: chmod +x filename To remove write permissions: chmod -wx filename Changing File Ownership and Group Change file ownership: chown username filename Change ownership recursively: chown -R username:group /path/to/directory Change group ownership: chgrp groupname filename Numerical Permission Codes Permissions can also be set using numerical codes: 0 = No permission 1 = Execute 2 = Write 4 = Read Basically, you add up the numbers depending on what level of permissions you want to grant. 0 = no 1 = --x 2 = -w- 3 = -wx 4 = r- 5 = r-x 6 = rw- 7 = rwx Example: chmod 777 directoryname This grants everyone permission to read, write, and execute. chmod 700 filename This grants read, write, and execute permissions only to the owner. Conclusion This guide covers user permissions management in Ubuntu and also applies to other Linux systems. By following these steps, you can create users, groups and control access to files and root privileges, enhancing your system's security. Frequently Asked Questions (FAQ) How to check user permissions in Ubuntu?  To view permissions for files and directories, use the "list long" command:ls -l The output displays a string of characters (e.g., -rwxr-xr-x) on the left side. The first character indicates the type (- for file, d for directory), and the next nine characters represent the Read (r), Write (w), and Execute (x) permissions for the Owner, Group, and Others. What is chmod 777 in Ubuntu?  chmod 777 sets the permissions of a file or directory so that everyone (Owner, Group, and Public) has full Read, Write, and Execute access. Warning: This is a major security risk. You should rarely use 777, as it allows any user on the system to modify or delete your files. What are 755 and 644 permissions?  These are the standard, secure default permissions for web servers and general usage: 755 (Directories & Scripts): The Owner has full control (Read/Write/Execute). The Group and Public can only Read and Execute (access the folder or run the script), but cannot edit or delete it. 644 (Standard Files): The Owner can Read and Write. The Group and Public can only Read. User permissions management in Ubuntu example Here is a common scenario: You want to give a user named "john" ownership of a web folder and ensure only he can edit it, while others can only view it. Change Owner: sudo chown -R john:www-data /var/www/html/site Set Directory Permissions: sudo find /var/www/html/site -type d -exec chmod 755 {} \; Set File Permissions: sudo find /var/www/html/site -type f -exec chmod 644 {} \; How do I give a user sudo (admin) permissions?  Add the user to the sudo group using the usermod command: sudo usermod -aG sudo [username] The user must log out and back in for this change to take effect. How do I view which groups a user belongs to?  Simply run the command groups [username]. If you run groupswithout a name, it shows the groups for the current logged-in user.
21 January 2026 · 6 min to read
PHP

How to Install PHP and PHP-FPM on Ubuntu 24.04

We are going to show you how to install PHP and PHP-FPM on Ubuntu 24.04. PHP, or Hypertext Preprocessor, is a popular open-source programming language used mostly for online development, for example on WordPress hosting. The only PHP implementation of PHP FastCGI that is really helpful for websites with a lot of traffic is PHP. At the end of this guide, you should be ready to go with PHP running on your server on our VPS hosting.  Before that, check our instruction on how to set up a server on Ubuntu.  PHP working scheme Prerequisites Before we start, please confirm you have the following: Ubuntu 24.04 LTS installed on the server A user account with the sudo access An essential command-line operation understanding A reliable internet connection for downloading software packages To ensure that your system is up to date, run the following commands: sudo apt updatesudo apt upgrade Install Apache Launch the Apache web server using the following command: sudo apt install apache2 Install PHP Let's begin with installing the PHP package in Ubuntu 24.04 server. First, open a terminal on your Ubuntu system. PHP and common modules are included in the installation action: sudo apt install php That command installs the core PHP package, the command-line interface, and common libraries. Make sure the installation works: php -v Start with PHP Installation Install PHP Extensions PHP extensions are the way to go to extending PHP installation with certain functions. Start by installing extensions: sudo apt install php-curl php-mbstring php-xml Short description: php-mysql: Allows MySQL database connection php-gd: Adds ability to manipulate images php-curl: Makes possible to communicate with servers php-mbstring: Provides multibyte string support php-xml: Enables XML support php-zip: Enables ZIP support Additional extensions can be installed as you see fit for your projects. You can search them using: apt-cache search php- Install and Configure PHP-FPM PHP-FPM is essential when dealing with high-traffic websites. To install and configure it: Install the package: sudo apt install php-fpm Launch PHP-FPM service. Depending on the installation, version number may differ. sudo systemctl start php8.3-fpm Tell PHP-FPM to go on boot: sudo systemctl enable php8.3-fpm Verify PHP-FPM is working: systemctl status php8.3-fpm This will output a response that says "Active (Running)" if everything is working as expected. Test PHP and PHP-FPM To ensure that PHP and PHP-FPM are both running with no problems, create a test file then serve it via the website's server. Let's say it uses Apache in this example: Generate PHP Info File. To show PHP settings using the phpinfo() function, do the following: mkdir -p /var/www/htmlecho "<?php phpinfo(); ?>" | sudo tee /var/www/html/info.php Set Up Apache for PHP-FPM. Ensure Apache is made compatible for PHP-FPM, by first finding Apache configuration file (usually /etc/apache2/sites-available/000-default.conf) then inserting: <FilesMatch \.php$>   SetHandler "proxy:unix:/var/run/php/php8.3-fpm.sock|fcgi://localhost/"</FilesMatch> Remember we must alter specific PHP version and socket path to suit individual settings of the server. Activate PHP and PHP-FPM. Enable PHP and PHP-FPM following these instructions: sudo apt install libapache2-mod-phpsudo a2enmod proxy_fcgi setenvif Reboot Apache. Apply changes by restarting Apache server: sudo systemctl restart apache2 Access PHP Info Page. First open your web browser and go to: http://your_server_ip/info.php Replace [server_ip] with the server IP address or domain. You can see details of your PHP installation. This is Where You Can Check Your PHP Current Status Install Multiple PHP Versions You may need to run different programs for specific projects, and each one may need a distinct set of features. Here's how to handle and work with different PHP versions on Ubuntu 24.04. First, add PHP repository: sudo apt install software-properties-commonsudo add-apt-repository ppa:ondrej/php && sudo apt update Install PHP versions you need: sudo apt install php8.1 php8.1-fpm Deselect one PHP version and select the other: sudo update-alternatives --set php /usr/bin/php8.1 If you are using multiple PHP versions, ensure that your web server is pointing to the appropriate PHP-FPM socket. Securing PHP and PHP-FPM: Best Practices As a web developer, you are aware of how crucial it is to use both PHP and PHP-FPM in secure and reliable web applications. We'll go over some security measures in this part that you should use when utilizing PHP and PHP-FPM. 1. Keep PHP and PHP-FPM Updated PHP and PHP-FPM should be up to date. Doing regular updates will eliminate known security breaches and provide overall security improvements. You need to check for updates as often as possible then update the system as soon as the updates are available. 2. Configure PHP Securely To configure PHP securely, start by disabling unnecessary and potentially dangerous functions, such as exec, shell_exec, and eval, in the PHP configuration file (php.ini). Use open_basedir directive to restrict PHP’s access to specific directories, preventing unauthorized access to sensitive files. Set display_errors to Off in production to avoid exposing error messages that could provide insights to attackers. Limit file upload sizes and execution times to reduce the risk of resource exhaustion attacks. Besides, ensure that PHP runs under a dedicated, restricted user account with minimal permissions to prevent privilege escalation. Regularly update PHP to the latest stable version to patch vulnerabilities and improve security. 3. Use Safe Error Reporting To ensure an error-free application, it is quite handy locating and correcting code bugs in a development environment. In production environment, you have the possibility to hide the PHP errors by setting the display_errors directive to be off, and you should also set the log_errors directive to be On, thus this will help you prevent PHP from showing errors to the users whereas your server will log it in a safe location without problems to users. 4. Implement Input Validation Being aware of the input validations is quite crucial during the programming of your software. Make sure that all deficiencies are tested and only SQL statements containing their SQL equivalent that can produce outwardly neutral queries via prepared statements is considered safe. 5. Secure PHP-FPM Configuration PHP-FPM is required to run using a non-usual user account with minium rights. Furthermore, access to the PHP-FPM socket or port should be very limited to the web application. 6. Enable open_basedir You need to bind open_basedir directive in order to restrict access files within the given directory. In this case, if you attempt to visit a forbidden directory and the request is accidentally transmitted to the server, PHP will prevent you from doing so. 7. Use HTTPS We need to secure web calls by making apps HTTPS-only, which is the only prominent way to block all the known hacking tricks. Installing PHP on Ubuntu 24.04 is Rewarded Conclusion With this guide, you've successfully set up PHP and PHP-FPM on Ubuntu 24.04. Your server is now configured for dynamic web applications. To maintain security and performance, remember to keep the system and packages regularly updated. If you liked this instruction, please check our Cloud Servers or low-latency US VPS to boost your cloud workflow! Frequently Asked Questions (FAQ) How do I install PHP and PHP-FPM on Ubuntu 24.04?  You can install both the core PHP and the FastCGI Process Manager (FPM) with a single command. Update your repositories and run: sudo apt update && sudo apt install php php-fpm This will install the default version, which is currently PHP 8.3. How do I enable FPM in PHP?  If you are using Nginx, FPM is enabled by default; you just need to point your server block to the socket file (usually /run/php/php8.3-fpm.sock). If you are using Apache, you must explicitly enable the configuration and the required proxy modules: sudo a2enmod proxy_fcgi setenvif sudo a2enconf php8.3-fpm sudo systemctl restart apache2 How to know if PHP-FPM is installed and running?  To verify installation, check the version: php-fpm8.3 -v To check if the service is active and running, use: sudo systemctl status php8.3-fpm You should see a green "active (running)" status. How do I enable PHP-FPM extensions?  Extensions are typically shared between the CLI and FPM. Install the extension: sudo apt install php8.3-[extension_name] (e.g., php8.3-mysql or php8.3-gd). Restart the FPM service: unlike Apache mod_php, you must restart the FPM service for changes to take effect:sudo systemctl restart php8.3-fpm Where is the PHP-FPM configuration file located?  The main global configuration file is at /etc/php/8.3/fpm/php-fpm.conf. However, the pool configuration (where you set process managers, children, and listen sockets) is located at /etc/php/8.3/fpm/pool.d/www.conf.
20 January 2026 · 8 min to read

Do you have questions,
comments, or concerns?

Our professionals are available to assist you at any moment,
whether you need help or are just unsure of where to start.
Email us
Hostman's Support