Kapsule CloudAtlas

Cloud server firewall

Updated 4 June 2026

Cloud server firewall

Your Kapsule Cloud Server has a managed UFW firewall with sensible defaults. You can add custom rules and configure the firewall from the Management page.

Accessing the firewall

  1. Open your server in Cloud Servers
  2. Click Management in the action buttons
  3. Go to the Firewall (UFW) section

Default firewall rules

The default policy is: deny all inbound traffic, except SSH (port 22). App-stack ports open automatically based on your selected app stack (e.g. port 80/443 for web apps).

The Management page shows: "Default-deny inbound. SSH (22) is always open. App-stack ports open automatically. Add custom rules below."

Adding a custom rule

  1. In the Firewall section, find the rule input
  2. Enter a Port number (e.g. 3000, 5432, 8080)
  3. Select TCP or UDP
  4. Select Allow or Deny
  5. Click Add

Custom rules are applied over SSH within seconds. Rules show the action badge (ALLOW or DENY) and can be removed with the Remove button.

App stacks

The App stack section in Management lets you tell Kapsule what kind of app you're running. The selected stack auto-opens the right ports and tunes other security settings:

  • WordPress, WooCommerce, Ghost, Nextcloud, GitLab, Mattermost, Generic web, No app stack

Selecting an app stack from the marketplace sets this automatically.

fail2ban

fail2ban is enabled by default. It bans IPs that repeatedly fail SSH authentication attempts. For WordPress sites, it also adds wp-login.php protection.

ModSecurity WAF

ModSecurity runs in detection-only mode by default, it logs suspicious requests but doesn't block them. Once you've reviewed your logs and are comfortable with the false positive rate, you can switch it to active blocking mode from the Management page.

OS auto-patching

Security patches are applied automatically. You can configure:

  • Whether automatic reboots are allowed (only during a quiet window you define)
  • The quiet window (UTC hours) for patch-related reboots

Pre-patch snapshots are taken automatically before each patch run, so every update is reversible.

Was this article helpful?

Related articles

Connecting to your cloud server via SSH

SSH lets you connect to your server and run commands from your local terminal. Kapsule gives you the connection details directly in KPanel.

Cloud server snapshots

Snapshots are point-in-time copies of your entire server disk. Use them to roll back to a known-good state if an update or configuration change breaks something.

Resizing your cloud server

Resizing changes your server's plan — adjusting CPU, RAM, and (on upgrades) disk space. You can upgrade for more resources or downgrade to a smaller plan to reduce costs.

Rebuilding your cloud server OS

Rebuilding reinstalls the operating system from scratch, wiping all data. Use it to get a clean slate — switching OS versions, recovering from a corrupted install, or starting fresh.

Still need help?

Our support team is here on business days, NZT.

Open a ticketEmail support
Back to Help Centre