Creating a Firewall with Digital Ocean Droplet

I created a firewall using a Digital. Digital Ocean has GUI interface for adding a firewall to your droplet:

screen capture of GUI interface on digital ocean

This was simple and easy to use, but then trying to access it on the terminal was a little harder. I ended up also manually installing ufw through the terminal, not allowing http or https requests. I knew my firewall was up and running when I checked the status and got active.

screen capture of firewall status as active

Next, I wanted to access my logs of who was trying to access my port. I went into my var/log/ufw.log and was able to see a list of sources and destinations with different protocols accessing different ports. This was really hard to see in so much text and I wanted to find an easier way to sift through all of this. First I saved it as a log file on my computer. I did this through performing the scp command to my root and saving it to my desktop. The "scp" command stands for secure copy, allowing me to copy files across an ssh connection (something i just learned).

$ scp root@###.###.###.###:/var/log/ufw.log .

Unparsed log files
Unparsed log files

Once I had my log files saved to my computer I wanted to parse the file so I could concentrate on looking at the SRC (who was trying to access) and the DPT (what port they were trying to come in on). All the destinations were to my droplet ip using TCP protocols. I used Jupyter notebooks to parse the file and then put them into an excel document where I could make out the information clearer.

screen capture of jupyter notebook to parse out the sources from the log
Jupyter notebook to parse out the sources from the log

Next, I went through all the ip's, listing where they were coming from. They were all mostly commercial and the vast majority of them were from China. I also notice that almost all (minus a few) of the China iP's access through port 80.

I interestingly got Digital Ocean twice, once from Clifton and the other from San Francisco. There were also some interesting companies on the logs such as hurricane electric , Alibaba, or "ISP/IXP IN CAMBODIA WITH THE BEST VERVICE IN THERE". I had only left my firewall active for a little over a day and already had a lot of logs to parse through. Below is my full log parsed on Excel:

Screen capture of excel file I created organized with SRC, DPT, city and time zone
Excel file showing the parsed firewall logs, looking at SRC, DPT, city/time zone

Acknowledgements: I have to give a thanks to Tushar, Alden and Matt who all helped me with various bits along the way!