Update #7 - Syncthing UFW Rule Automation with DDNS Integration

Date: May 10, 2025
Category: Security / Automation
Backlink: Update #6 – Fail2Ban Security Hardening

🔧 Overview

This update focused on hardening access to Syncthing on the VPS. Instead of allowing unrestricted access to the Syncthing web UI and sync ports, I created a secure and automated solution that dynamically resolves a DDNS hostname (masked here for privacy) and updates UFW rules accordingly. This ensures only the current home IP can connect to the Syncthing interface and sync services.

🛠️ Tools & Technologies Used

🔄 The Process

  1. Validated Syncthing Setup

    • Confirmed Syncthing was installed and running.

    • Located its config and ensured 127.0.0.1:8384 was listening.

  2. Allowed Necessary Ports

    • Syncthing uses:

      • 8384/tcp – Web GUI

      • 22000/tcp – Sync traffic

      • 21027/udp – Local discovery

    • Initially opened ports to Anywhere to confirm functionality.

  3. Wrote an Automation Script
    I created /usr/local/bin/update-syncthing-ufw.sh to:

    • Resolve the DDNS hostname to a public IP.

    • Delete any existing UFW rules for 8384, 22000, and 21027.

    • Add new rules allowing traffic only from the current IP.

    ✅ Sample success message:

    ✅ UFW rules updated for Syncthing services from [masked DDNS IP]

  4. Confirmed It Works

    • Ran the script manually.

    • Verified UFW rules with sudo ufw status numbered.

    • Accessed the Syncthing Web UI remotely from home IP to confirm access.

  5. Cleaned Up UFW Rules

    • Removed Anywhere rules for Syncthing ports.

    • Only the resolved DDNS IP is now allowed per service port.

  6. Created a Daily Cron Job

    • Added the following to root's crontab:

      0 */6 * * * /usr/local/bin/update-syncthing-ufw.sh

    • This updates the rule every 6 hours in case the home IP changes.

✅ The Result

🔍 What I Learned


Revision #4
Created 10 May 2025 01:52:46 by Nate Nash
Updated 7 June 2025 00:14:24 by Nate Nash