Configure the firewall and update packages

Lesson outcome

You will have a properly secured VPS with an active firewall, updated software, and all credentials stored in BWS.

Why this matters in an agency

An unsecured VPS is an open invitation. Automated scanners probe every public IP address on the internet constantly, looking for open ports, default passwords, and unpatched software. A firewall restricts which ports accept connections. Package updates fix known vulnerabilities. Together they reduce your attack surface from "everything is open" to "only what I explicitly allow." This takes fifteen minutes and prevents the most common categories of server compromise.

Inputs, tools, and prerequisites

SSH access to your VPS as the operator user. Claude Code running on the VPS.

Step-by-step walkthrough

Start Claude Code on the VPS

```
ssh vps
claude
```

You are logged in as operator with Claude Code running.

Ask Claude Code to configure the firewall

```
Set up UFW (Uncomplicated Firewall) on this server. Allow SSH (port 22) so I do not lose access. Block everything else by default. Enable the firewall and show me the status when done.
```

Claude Code will propose a sequence of commands:

1. sudo ufw default deny incoming — block all incoming connections by default
2. sudo ufw default allow outgoing — allow the server to make outgoing connections (it needs this to download updates, reach APIs, etc.)
3. sudo ufw allow ssh — open port 22 for SSH (critical — without this, you would be locked out)
4. sudo ufw enable — turn the firewall on

Read each command before approving. The most important one is the SSH rule. If you enable the firewall without allowing SSH, you will be locked out of your own server. Claude Code knows this and will include the SSH rule, but always verify.

After enabling, Claude Code will run sudo ufw status and show you the firewall rules. You should see:

```
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
```

That means SSH is allowed and everything else is blocked. Later, when you deploy web applications, you will add rules for ports 80 (HTTP) and 443 (HTTPS). For now, SSH is all you need.

Update system packages

```
Update all system packages on this server to their latest versions. Show me what will be updated before doing it.
```

Claude Code will run:

1. sudo apt update — refreshes the list of available packages
2. sudo apt upgrade — shows what will be updated and asks for confirmation

Review the list. It may include security patches, kernel updates, and library updates. Allow the upgrade. This takes a few minutes depending on how many packages need updating.

If Claude Code mentions that a reboot is required after the update, ask:

```
Is a reboot required? If so, go ahead and reboot the server.
```

After a reboot, you will be disconnected. Wait thirty seconds, then SSH back in. The server comes back up automatically.

Set up automatic security updates

```
Enable automatic security updates on this server so critical patches are applied without me having to log in and do it manually.
```

Claude Code will install and configure unattended-upgrades, which automatically applies security patches. This is standard practice for any server you do not want to babysit daily.

Store all credentials in BWS

Now organize your credentials. On your local machine (not the VPS), set up your BWS access token and store everything:

```
export BWS_ACCESS_TOKEN="your-token"
```

Verify your VPS credentials are in BWS from Module 6. If not, add them now:

• VPS IP address
• Root password
• Operator user password (if one was set)
• SSH key location (note, not the key itself — just the path, like ~/.ssh/id_ed25519)

You should be able to look at your BWS project and see a clean list of all credentials related to your VPS. If anyone asks "what are the server credentials," the answer is always "check BWS" — not "check the email from the provider" or "I think I wrote it down somewhere."

Verify the security baseline

Ask Claude Code on the VPS:

```
Run a basic security check on this server. Verify that: the firewall is active, SSH password authentication is disabled, the operator user has sudo access, and system packages are up to date.
```

Claude Code will check each item and report the status. Everything should pass. If anything fails, Claude Code will tell you what is wrong and how to fix it.

Failure modes and verification checks

The most dangerous failure is enabling the firewall without allowing SSH. Always verify the SSH rule before enabling UFW. If you do lock yourself out, use your VPS provider's web console (most providers have one) to access the server and fix the firewall.

Another failure is skipping package updates. Unpatched servers are the single most common cause of security breaches for small businesses.

Verification: sudo ufw status shows the firewall active with SSH allowed. sudo apt update && sudo apt upgrade shows no pending updates. All credentials are in BWS.

Implementation checklist

• Start Claude Code on the VPS.
• Configure UFW: deny incoming by default, allow SSH, enable.
• Verify firewall status shows SSH allowed and active.
• Update all system packages.
• Enable automatic security updates.
• Store all VPS credentials in BWS.
• Run the security verification check through Claude Code.

Immediate next action

Your VPS is secured. Move to the next module — you will organize your Obsidian vault on the VPS using Claude Code. The server is ready. The tools are installed. Now you start building the knowledge layer.

Exercise

Log out of the VPS. From your local machine, try to connect to the VPS on a port other than SSH — for example, port 80:

```
curl http://your-ip-address
```

This should time out or be refused — the firewall is blocking port 80. Then SSH in normally:

```
ssh vps
```

This should work instantly. The firewall is doing its job: allowing what you explicitly permitted (SSH) and blocking everything else. This is exactly the security posture you want for a server that has not yet started hosting web applications.