uuupah/11ty_neocities
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add home server core

Browse Source
This commit is contained in:
jonathan
2023-11-06 18:36:23 +10:30
parent 4cb849c424
commit 553773cca6
16 changed files with 1024 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
src/_assets/img/home_server/lsblk.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
src/_assets/img/home_server/ssh_status.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.9 KiB

BIN
src/_assets/img/unlisted/complete_guide_ssh/checking.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
src/_assets/img/unlisted/complete_guide_ssh/connected.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
src/_assets/img/unlisted/complete_guide_ssh/connecting.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
src/_assets/img/unlisted/complete_guide_ssh/exit.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
src/_assets/img/unlisted/complete_guide_ssh/find_ip.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 110 KiB

BIN
src/_assets/img/unlisted/complete_guide_ssh/installing.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
src/_assets/img/unlisted/complete_guide_ssh/password.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
src/_assets/img/unlisted/complete_guide_ssh/ssh.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

19
src/_includes/styles.css
View File

@ -13,6 +13,8 @@
--header-text: #6a826a;
--border: #6a826a;
--accent: #aa5757;
/* this is actually bg laid over container at 12.5% transparency */
--code-bg: #ececde;
--content-column-width: 750px;
/* this width was 200 but i stretched it out to fit the gif */
@ -74,6 +76,23 @@ hr {
border-top: 2px solid var(--border);
}
code {
background-color: var(--code-bg);
padding: .1rem .3rem .2rem;
border-radius: .2rem;
word-wrap: break-word;
box-decoration-break: clone;
}
pre code {
display: block;
white-space: pre;
-webkit-overflow-scrolling: touch;
overflow-x: scroll;
max-width: 100%;
min-width: 100px;
}
body {
color: var(--text);
background: var(--bg);

140
src/blog/home_server__core.md Normal file
View File

@ -0,0 +1,140 @@
---
title: "home server // core"
date: 2023-11-06
---
i snagged this thinkcentre m710q for super cheap on an auction store because its a low power, low cost option for getting started with homelab type tasks. a lot of entry level recommendations i've seen involve using an old desktop pc or getting an [embedded celeron in a mini-itx form factor](https://www.aliexpress.com/item/1005004752259038.html) - the former is space hungry and generally power hungry, and the start-up cost of the latter is a bit much considering this doesnt include a case, power supply, memory or drives. my thinkcentre came with 8gb of (expandable) memory and a pretty nice intel nvme ssd, in a case that is smaller than my router with a maximum power draw of 65 watts and an idle draw of 9-11 watts. this makes it an excellent option for someone who wants to get in on the ground floor of "always on pcs" while not spending so much that you'll regret it if its not for you
these m710q's tend to ship with windows 10 pro, but i've been setting my little server up as a ubuntu server in order to bring up the performance (and hopefully bring down the power cost). i've found it surprisingly straightforward, but i thought it would be nice to share here for both personal reference, and maybe to help someone out who's looking to do the same thing. i'm going to slice it up into separate posts for related projects, with this one being the "core" config - i'll cross reference when an action in one entry is used for another, such as some peculiarities in the file system being defined here, but mostly being for the benefit of the \<legal downloads\> section
### what's on the menu
#### entree
\- [core setup]()
#### mains
\- media streaming
\- cloud storage
#### dessert
\- discord bot
\- minecraft server
## first things first
whatever box you end up going with, you'll want to download ubuntu server (lts version) from [here](https://ubuntu.com/download/server), then follow their installation instructions [here](https://ubuntu.com/tutorials/install-ubuntu-server#1-overview). for those new to code or open source software, lts stands for long term support, which is more or less what it says on the tin. new versions of ubuntu come out every couple of months, but these regular versions only come with nine months of support by default, meaning you'll have to keep updating to take advantage of security updates and support. lts versions are normally supported for three years, and because theyre the version the average consumer uses, theyre also the version most regularly targeted by the software we're installing, like some kind of software ouroboros
anyway, our ubuntu is going to be running in "headless" mode, which is to say, without a user interface / desktop environment. this cuts down on unnecessary cpu use, which is great, but does make the initial install a little fiddly. my m710q doesnt have wifi so i just sucked up having to sit on the floor next to router for twenty minutes while tapping through the initial install. once this is done, we shouldnt need to plug it into a screen again, although i would recommend doing the drive setup first because issues can happen there that will knock out your ability to contact the server over the internet.
also, on the note of sitting next to your router, i would very much recommend wiring your server in directly. wifi kind of sucks to begin with, and and the wifi cards that tend to come with these systems also aren't super stellar. we're going to want a high throughput for streaming our \<legal downloads\>, and using ethernet here lets you remove one bottleneck from the system. get a short run of cat5 or higher, plug it in and forget about it.
## ssh
once ubuntu is installed and restarted, we're going to set three things up while the screen is still connected: ssh (secure shell, for connecting to the server from another pc), ufw (uncomplicated firewall), and any extra drives. i used [this tutorial](https://itsfoss.com/set-up-ssh-ubuntu/)([local copy](/misc/complete_guide_to_configuring_ssh_in_ubuntu/)) for ssh, but the long and short of it is to update your package manager packages, and run apt install on the openssh server.
```sh
sudo apt update && sudo apt upgrade
sudo apt install openssh-server
```
some quick ones for the unitiated: ubuntu is pretty stringent with its security, and sort of like windows, your default user won't be the all powerful "administrator" of the system, for security reasons. this all powerful mega user is the root account, and using `sudo` will "DO" a command as if you're the "Super User". `apt` is ubuntu's package manager, which helps to centralise all of the software your average ubuntu might need, as well as making updating a bit easier. the above commands are three separate apt commands, `update`, `upgrade` and `install`. update refreshes the internal list of software versions that apt uses for search and comparison, upgrade updates all of the software currently on your server, and install installs the package requested, in this case `openssh-server`. the `&&` is code shorthand for a 'logical and' and linking two commands like this tells the system to do the second one if the first one succeeds.
openssh sets up a 'systemd service' on install. systemd is a service management system used to run the majority of software in ubuntu, and while it's not the only way to handle things like this (and some people have some criticisms with how it functions) it will work just fine for our fairly vanilla configuration, as well as give us access to some really convenient management tools, allow ubuntu to handle programs that crash by itself, and much more. we can check the status of the service by running one of the following two commands:
```sh
service ssh status
```
or
```sh
sudo systemctl status ssh
```
the former is the more convenient shorthand, but the latter gives you an idea of how these systemctl commands are laid out. either way, your output should look something like the following:
![](/_assets/img/home_server/ssh_status.png)
if the green "status light" in the top left corner is empty and the Active line says "inactive", run the following command:
```sh
sudo systemctl enable --now ssh
```
this will start up ssh and make sure ubuntu starts it on system boot in the future
## ufw
uncomplicated firewall ships with ubuntu, and allows us to configure a firewall in an uncomplicated manner! sweet! i'm using [this tutorial](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04)([local copy](how_to_set_up_a_firewall_with_ufw_on_ubuntu_20_04)) for ufw setup. first up, i'll introduce you to a friend that's going to be with us for the rest of this adventure:
```sh
sudo nano /etc/default/ufw
```
`nano` is a text editor for use in the terminal, and /etc/default/ufw is the location of a file we want to check. `/` at the beginning says that we're looking at the bottom level or 'root' level of the file system; the windows equivalent is a folder located at C:/. if you want to navigate to a file in reference to our current location, you can omit the leading `/`. `etc` is a folder that holds a lot of configuration files, and the `ufw` at the end of the string is our actual file. unlike windows, a text file doesn't need a .txt extension; they work the same way.
running this command will load nano on this particular file, with sudo / root permissions so that we can make edits if we need to (the file is owned by root, and we normally wouldnt be able to mess with it). look for a row with `IPV6=`, and if it says no, change it to yes. this just means we can process ipv6 addresses, which is unlikely to come up, and is more just a nice-to-have. we won't really be stressing about this anymore in this guide, but if you want to learn about what's going on, read about ipv4 [here](https://en.wikipedia.org/wiki/IPv4) and ipv6 [here](https://en.wikipedia.org/wiki/IPv6).
you can save changes in nano using ctrl-s, and exit using ctrl-x. if you don't save changes it will ask you to confirm, which is a bit annoying, so i just ctrl-s every time.
next, we'll set some nice simple base configs for ufw
```sh
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
sudo ufw allow ssh
```
the first two commands disable all incoming traffic (systems trying to connect to your server) and allows all outgoing traffic (your server trying to connect to other systems). we then `enable` the firewall to activate it (it can be useful to `disable` it during debugging) and the we allow `ssh` through the firewall - most systems will require an explicit port to be specified here, but ssh is known to the system and this shorthand can be used instead. whenever we want something to be accessible to other devices, we will need to `allow` it through the firewall.
## storage
if you're not adding storage you can skip this, but i would highly recommend that you wrangle a secondary drive, even if its an old one from a laptop you don't use anymore. the m710q has a spare 2.5 inch bay, which will take a sata ssd or a laptop sized hdd (spinning drive or "platter" drive). ymmv if you used a different computer.
```sh
lsblk
```
this command should return you something that looks a bit like this:
![](/_assets/img/home_server/lsblk.png)
this is an absolute mess, but you should be able to spot your drive in the sd- section. mine in this case is sda2, which i can tell from the listed size of 3.6tb. the drive is actually 4TB, but sizes get weird once the drives are this big - read into [decimal vs binary sizes](https://en.wikipedia.org/wiki/Byte#Multiple-byte_units) if you're interested. now that you know the drive name, you can perform a format to ext4 if necessary. this is also fiddly, so check out [this guide](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux)([local copy](/misc/how_to_partition_and_format_storage_devices_in_linux)) for your particular usecase.
now that the drive is all good to go, we can run lsblk with some extra variables:
```sh
lsblk -o NAME,FSTYPE,UUID,MOUNTPOINTS
```
you can then find your drive again, and make a note of the FSTYPE and UUID (unique universal id). take note of these elsewhere. note that ctrl-c in the ubuntu terminal is an old shorthand for stopping a piece of software and won't work here - use ctrl-shift-c instead, and not that it works the same for pasting - ctrl-shift-v is your friend.
make a directory for your drive to be mounted to and do a test mount to make sure it all behaves. this is more or less equivalent to naming a drive in windows, so i normally find a random greek god to use as a name, but you can just call it something like 'storage'. make your new drive under `/mtn/`, as this is the standard location for mounting drives in ubuntu
```sh
# replace 'panacea' with your chosen drive name
sudo mkdir /mnt/panacea
# replace replace 'sda2' with your drive location from lsblk and 'panacea' with the folder you made in the last step
sudo mount -t ext4 /dev/sda2 /mnt/panacea
```
`mkdir` is used for making a new folder (referred to as directories in ubuntu), and `mount` is for temporarily mounting a drive. annoyingly, this drive will be unmounted on a restart, so we need a more permanent solution.
```sh
sudo nano /etc/fstab
```
fstab is our file system table, and is referenced by the server on boot to put all the drives in their right place. i used [this tutorial](https://developerinsider.co/auto-mount-drive-in-ubuntu-server-22-04-at-startup/#3-edit-fstab)([local copy](/misc/auto_mount_drive_in_ubuntu_server_22_04_at_startup)) to set mine up. you should be able to add a new line to the end of the fstab, along with a comment so future you can figure out what's going on:
```sh
# 4tb drive aka panacea
UUID=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /mnt/panacea ext4 defaults 0 0
```
copy your uuid from the earlier step, and add your mount point. once the file is saved, run `findmnt`:
```sh
sudo findmnt --verify
```
`findmnt` will check that your fstab looks valid, because an error in this file can stop your server from booting. if everything comes up good, run a restart on your server using:
```sh
sudo reboot
```
if your server boots again then the first bit of config is over! if not, use `sudo nano /etc/fstab` again and fix the issue. the terminal may be a bit of word soup, but it should still tell you what's wrong with your configuration.

103
src/misc/auto_mount_drive_in_ubuntu_server_22_04_at_startup.md Normal file
View File

@ -0,0 +1,103 @@
---
title: backup of "auto mount drive in ubuntu server 22.04"
date: 2023-11-06
---
backup of "auto mount drive in ubuntu server 22.04" by vineet choudhary. original post is [here](https://developerinsider.co/auto-mount-drive-in-ubuntu-server-22-04-at-startup/)
---
When we connect an external drive, by default, Linux OS (or Ubuntu Server) doesn't automount the external drive at startup. We can mount it very easily using the `mount` command but we want to enable automount feature on startup. So, we don't need to mount the drive again after restarting or logging into Linux OS. Here are steps to auto mount drive at startup -
## 1. Create the Mount Point
First, we need to create a directory which will be our mount point for a drive
```
sudo mkdir /media/USB1
```
## 2. Get Drive UUID and Type
Now, we need to get the drive UUID and File System Type. This information we need in the next step. So, to find the drive's UUID and File System Type, run the following command -
```
lsblk -o NAME,FSTYPE,UUID,MOUNTPOINTS
```
This will return something like what we have below. Here you can see, sd2 is type exfat and doesn't have any mount point. So, we need to mount this sda2 on `/media/USB1`. There UUID for this is `632D-7154` and File System Type is `exfat`. So, Copy the UUID and File System Type from the disk.
```
NAME FSTYPE UUID MOUNTPOINTS
sda
├─sda1 vfat 67E3-17ED
└─sda2 exfat 632D-7154
sdb
├─sdb1 vfat D7E2-9D99 /boot/firmware
└─sdb2 ext4 b09bb4c8-de4d-4ce6-a93f-30c4c9241a58 /
```
## 3. Edit fstab
To edit the fstab file run the following command (note I'm using nano here but use whatever editor you prefer)
```
sudo nano /etc/fstab
```
You'll see something like this -
```
LABEL=writable / ext4 discard,errors=remount-ro 0 1
LABEL=system-boot /boot/firmware vfat defaults 0 1
```
Here we need to add one more entry for our drive. The format for adding a new entry is something like this -
```
<file system> <mount point> <type> <options> <dump> <pass>
UUID=<UUID> <PATH_TO_MOUNT> <DRIVE_TYPE> defaults 0 0
```
So, here is the entry for our drive
```
# USB1
UUID=632D-7154 /media/USB1 exfat defaults 0 0
```
## 4. Test fstab
Now we'll test the `fstab` before rebooting because an invalid `fstab` can render a disk unbootable. So, for the test, run the following command and check if there is any error or warnings. Do not reboot your Ubuntu Server / Linux OS without resolving those errors or warnings (if any).
```
sudo findmnt --verify
```
## 5. Restart Ubuntu Server / Linux OS
If the last step doesn't show any error or warnings then restart Ubuntu Server / Linux OS using the following command -
```
sudo reboot
```
## 6. Test the Mount Point
Run the same command which we run in Step 2 to check if our drive is mounted to its mount point.
```
lsblk -o NAME,FSTYPE,UUID,MOUNTPOINTS
```
```
NAME FSTYPE UUID MOUNTPOINTS
sda
├─sda1 vfat 67E3-17ED
└─sda2 exfat 632D-7154 /media/USB1
sdb
├─sdb1 vfat D7E2-9D99 /boot/firmware
└─sdb2 ext4 b09bb4c8-de4d-4ce6-a93f-30c4c9241a58 /
```
Here you can see, `sda2` is now mounted to `/media/USB1`.

195
src/misc/complete_guide_to_configuring_ssh_in_ubuntu.md Normal file
View File

@ -0,0 +1,195 @@
---
title: backup of "complete guide to configuring ssh in ubuntu"
date: 2023-11-06
---
backup of "complete guide to configuring ssh in ubuntu" by chris patrick carias stas. original post is [here](https://itsfoss.com/set-up-ssh-ubuntu/)
---
SSH has become the default method of accessing a remote Linux server these days.
SSH stands for Secure Shell and its a powerful, efficient, and popular network protocol used to establish communication between two computers in a remote fashion. And lets not forget the secure part of its name; SSH encrypts all traffic to prevent attacks like hijacking and eavesdropping while offering different authentication methods and a myriad of configuration options.
In this beginners guide, youll learn:
- The basic concept of SSH
- Setting up SSH server (on the system you want to access remotely)
- Connecting to remote server via SSH from the client machine (your personal computer)
### The absolute basics of SSH
Before you see any configuration process, it will be better to go through the absolute basic concept of SSH.
The SSH protocol is based on server-client architecture. The “server” allows the “client” to be connected over a communication channel. This channel is encrypted and the exchange is governed by the use of public and private SSH keys.
![](/_assets/img/unlisted/complete_guide_ssh/ssh.jpg)
Image credit: [SSH](https://www.ssh.com/academy/ssh?ref=itsfoss.com)
[OpenSSH](https://www.openssh.com/?ref=itsfoss.com) is one of the most popular open source tools that provides the SSH functionality on Linux, BSD and Windows.
For a successful SSH set up, you need to:
- Have SSH server components on the machine that acts as the server. This is provided by **openssh-server** package.
- Have SSH client component on the machine from where you want to connect to the remote server machine. This is provided by **openssh-client** package and most Linux and BSD distributions come preinstalled with it.
It is important to keep a distinction between the server and client. You might not want your personal computer to act as SSH server unless you have good reasons where you want others to connect to your system via SSH.
Generally, you have a dedicated system working as the server. For example, a [Raspberry Pi running Ubuntu server](https://itsfoss.com/install-ubuntu-server-raspberry-pi/). You [enable SSH on the Raspberry Pi](https://itsfoss.com/ssh-into-raspberry/) so that you could control and manage the device from your main personal computer using SSH in a terminal.
With that information, lets see how you can set up a SSH server on Ubuntu.
# Configuring SSH Server on Ubuntu
Setting up SSH is not complicated and just needs a few steps to do it.
### Prerequisites
- A user with sudo privileges on the server machine
- Internet connection to download the required packages
- At least another system in your network. It can be another computer on your LAN, a remote server via Internet, or a virtual machine hosted in your computer.
> *Again, the SSH server installation should be done on the system that you want to act as a server and to which you want to connect remotely via SSH.*
### Step 1: Install required packages
Lets start by opening a terminal window to enter the necessary commands.
Remember to [update your Ubuntu system](https://itsfoss.com/update-ubuntu/) before installing new packages or software with to make sure that you are running the latest versions.
```sh
sudo apt update && sudo apt upgrade
```
The package you need to run SSH Server is provided by openssh-server component from OpenSSH:
```sh
sudo apt install openssh-server
```
![](/_assets/img/unlisted/complete_guide_ssh/installing.jpg)
### Step 2: Checking the status of the server
Once the downloading and installation of the package is done the SSH service should be already running, but to be sure we will check it with:
```sh
service ssh status
```
You may also use the systemd commands:
```sh
sudo systemctl status ssh
```
You should see something like this, with the word Active highlighted. Hit `q` to return to the command prompt.
![](/_assets/img/unlisted/complete_guide_ssh/checking.jpg)
If in your case the service is not running you will have to activate like this:
```sh
sudo systemctl enable --now ssh
```
### Step 3: Allowing SSH through the firewall
Ubuntu comes with a firewall utility called [UFW](https://itsfoss.com/set-up-firewall-gufw/) (UncomplicatedFirewall) which is an interface for iptables that in turn manages the networks rules. If the firewall is active, it may prevent the connection to your SSH Server.
To [configure UFW](https://itsfoss.com/ufw-ubuntu/) so that it allows the wanted access, you need to run the following command:
```sh
sudo ufw allow ssh
```
The status of UFW can be checked running `sudo ufw status``.
At this time our SSH Server is up and running, just waiting for a connection from a client.
### Connecting to the remote system from your local machine
Your local Linux system should already have an SSH client installed. If not, you may always install it using the following command on Ubuntu:
```sh
sudo apt install openssh-client
```
To connect to your Ubuntu system you need to know the IP address of the computer and use the ssh command, like this:
```sh
ssh username@address
```
Change *username* to your actual user in the system and *address* to the IP address of your Ubuntu machine.
If you dont [know the IP address of your computer](https://itsfoss.com/check-ip-address-ubuntu/) you can type `ip a` in the terminal of the server and check the output. You should have something like this:
![](/_assets/img/unlisted/complete_guide_ssh/find_ip.jpg)
Using “ip a” to find the IP address
As can be seen here my IP address is *192.168.1.111*. Lets try connecting using the *username@address* format.
```sh
ssh team@192.168.1.111
```
The first time you connect to a SSH server, it will ask for permission to add the host. Type `yes` and hit Enter to continue.
![](/_assets/img/unlisted/complete_guide_ssh/connecting.jpg)
First time connecting to the server
Immediately SSH tells you that the host was permanently added and then asks for the password assigned to the username. Type in the password and hit Enter one more time.
![](/_assets/img/unlisted/complete_guide_ssh/password.jpg)
Host added, now type in the password
And voila! You will be logged into your Ubuntu system remotely!
![](/_assets/img/unlisted/complete_guide_ssh/connected.jpg)
Connected!
Now you can work in your remote systems terminal as normal.
### Closing the SSH connection
To close the connection you just need to type exit and it will close it at once, without asking for confirmation.
![](/_assets/img/unlisted/complete_guide_ssh/exit.jpg)
Closing the connection with “exit”
### Stopping and Disabling SSH in Ubuntu
If you want to stop SSH service you will need this command:
```sh
sudo systemctl stop ssh
```
This will stop the service until you restart it or until the system is rebooted. To restart it, type:
```sh
sudo systemctl start ssh
```
Now, if you want to disable it from starting during system boot, use this:
```sh
sudo systemctl disable ssh
```
This wont stop the service from running during the current session, just from loading during startup. If you want to let it start again during system boot, type:
sudo systemctl enable ssh
### Other SSH clients
The tool ssh is included in most *nix systems, from Linux to macOS, but those are not the only options in existence, here are a couple of clients that can be used from other operating systems:
- [PuTTY](https://www.putty.org/?ref=itsfoss.com) is a free and open source SSH client which is hugely popular among Windows users. You can also [install PuTTY on Ubuntu](https://itsfoss.com/putty-linux/). Its full of features and very easy to use. If you are connecting to your Ubuntu machine from a Windows station, PuTTY is a great option.
- [JuiceSSH](https://juicessh.com/?ref=itsfoss.com) is an amazing tool for Android users. If you are on the go and need a mobile client to connect to your Ubuntu system, I amply recommend giving JuiceSSH a go. Its been around for almost 10 years and its free to use.
- And finally, [Termius](https://termius.com/?ref=itsfoss.com) is available for Linux, Windows, macOS, iOS, and Android. It has a free tier version and also several premium options. If you are running a lot of servers and working with teams sharing connections then Termius is a good option for you.
### Wrapping Up
With these instructions, you can set up SSH as a server service in our Ubuntu systems to be able to connect remotely and securely to your computer in order to work with the command line and perform any required task.
Our other website, Linux Handbook, has various informational articles on SSH. From here, I recommend reading the following:
- [Getting started with SSH on Linux](https://linuxhandbook.com/ssh-basics/?ref=itsfoss.com)
- [Using SSH Config file to manage multiple SSH connections](https://linuxhandbook.com/ssh-config-file/?ref=itsfoss.com)
- [Adding public key to SSH server for password less authentication](https://linuxhandbook.com/add-ssh-public-key-to-server/?ref=itsfoss.com)
- [SSH hardening tips](https://linuxhandbook.com/ssh-hardening-tips/?ref=itsfoss.com) to secure your SSH server
If you find it overwhelming, Linux [Handbook has a premium video course that explains SSH for beginners](https://linuxhandbook.com/sshcourse/?ref=itsfoss.com) along with hands-on labs to follow. This will give you a more streamlined knowledge of the topic.
Happy remote working!

271
src/misc/how_to_partition_and_format_storage_devices_in_linux.md Normal file
View File

@ -0,0 +1,271 @@
---
title: backup of "how to partition and format storage devices in linux"
date: 2023-11-06
---
backup of "how to partition and format storage devices in linux" by justin ellingwood, published 5 july 2016. original post is [here](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux)
---
### [Introduction](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#introduction)[](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#introduction)
Preparing a new disk for use on a Linux system is a straightforward process. There are many tools, filesystem formats, and partitioning schemes that may change the process if you have specialized needs, but the fundamentals remain the same.
This guide will cover the following process:
- Identifying the new disk on the system.
- Creating a single partition that spans the entire drive (most operating systems expect a partition layout, even if only one filesystem is present)
- Formatting the partition with the Ext4 filesystem (the default in most modern Linux distributions)
- Mounting and setting up Auto-mounting of the filesystem at boot
## [Step 1 — Install Parted](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#step-1-install-parted)[](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#step-1-install-parted)
To partition the drive, youll use the `parted` utility. Most of the commands necessary for interacting with a low-level filesystem are available by default on Linux. `parted`, which creates partitions, is one of the only occasional exceptions.
If you are on an Ubuntu or Debian server and do not have `parted` installed, you can install it by typing:
```
sudo apt update
sudo apt install parted
```
If you are on an RHEL, Rocky Linux, or Fedora server, you can install it by typing:
```
sudo dnf install parted
```
Every other command used in this tutorial should be preinstalled, so you can move on to the next step.
## [Step 2 — Identify the New Disk on the System](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#step-2-identify-the-new-disk-on-the-system)[](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#step-2-identify-the-new-disk-on-the-system)
Before you set up the drive, you need to be able to properly identify it on the server.
If this is a completely new drive, One way to identify it on your server is to look for the absence of a partitioning scheme. If you ask `parted` to list the partition layout of your disks, it will produce an error for any disks that dont have a valid partition scheme. This can be used to help identify the new disk:
```
sudo parted -l | grep Error
```
You should see an `unrecognized disk label` error for the new, unpartitioned disk:
```
OutputError: /dev/sda: unrecognized disk label
```
You can also use the `lsblk` command and look for a disk of the correct size that has no associated partitions:
```
lsblk
```
```
OutputNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 100G 0 disk
vda 253:0 0 20G 0 disk
└─vda1 253:1 0 20G 0 part /
```
> **Note:** Remember to check `lsblk` every time you reconnect to your server before making changes. The `/dev/sd*` and `/dev/hd*` disk identifiers will not necessarily be consistent between boots, which means there is some danger of partitioning or formatting the wrong disk if you do not verify the disk identifier correctly.
Consider using more persistent disk identifiers like `/dev/disk/by-uuid`, `/dev/disk/by-label`, or `/dev/disk/by-id`. See our [introduction to storage concepts and terminology in Linux](https://www.digitalocean.com/community/tutorials/an-introduction-to-storage-terminology-in-linux) article for more information.
When you know the name that the kernel has assigned your disk, you can partition your drive.
## [Step 3 — Partition the New Drive](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#step-3-partition-the-new-drive)[](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#step-3-partition-the-new-drive)
As mentioned in the introduction, youll create a single partition spanning the entire disk in this guide.
### [Choose a Partitioning Standard](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#choose-a-partitioning-standard)[](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#choose-a-partitioning-standard)
To do this, you first need to specify the partitioning standard to use. There are two options: GPT and MBR. GPT is a more modern standard, while MBR is more widely supported among older operating systems. For a typical cloud server, GPT is a better option.
To choose the GPT standard, pass the disk you identified to `parted` with `mklabel gpt`:
```
sudo parted /dev/sda mklabel gpt
```
To use the MBR format, use `mklabel msdos`:
```
sudo parted /dev/sda mklabel msdos
```
### [Create the New Partition](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#create-the-new-partition)[](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#create-the-new-partition)
Once the format is selected, you can create a partition spanning the entire drive by using `parted -a`:
```
sudo parted -a opt /dev/sda mkpart primary ext4 0% 100%
```
You can break down this command as follows:
- `parted -a opt` runs parted, setting the default **opt**imal alignment type.
- `/dev/sda` is the disk that youre partitioning.
- `mkpart primary ext4` makes a standalone (i.e. bootable, not extended from another) partition, using the ext4 filesystem.
- `0% 100%` means that this partition should span from the start to the finish of the disk.
For more information, refer to the [manual page](https://linux.die.net/man/8/parted) of Parted.
If you check `lsblk`, you should see the new partition available:
```
lsblk
```
```
OutputNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 100G 0 disk
└─sda1 8:1 0 100G 0 part
vda 253:0 0 20G 0 disk
└─vda1 253:1 0 20G 0 part /
```
You now have a new partition created, but it has not yet been initialized as a filesystem. The difference between these two steps is somewhat arbitrary, and unique to the way Linux filesystems work, but they are still two steps in practice.
## [Step 4 — Create a Filesystem on the New Partition](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#step-4-create-a-filesystem-on-the-new-partition)[](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#step-4-create-a-filesystem-on-the-new-partition)
Now that you have a partition available, you can initialize it as an Ext4 filesystem. Ext4 is not the only filesystem option available, but it is the most straightforward option for a single, standalone Linux volume. Windows uses filesystems like **NTFS** and **exFAT**, but they have limited support on other platforms (meaning that they will be read-only in some contexts, and cannot be used as a boot drive for other operating systems), and macOS uses **HFS+** and **APFS**, with the same caveats. There are also newer Linux filesystems than Ext4, such as **ZFS** and **BTRFS**, but these impose different requirements and they are generally better-suited to multi-disk arrays.
To initialize an Ext4 filesystem, use the `mkfs.ext4` utility. You can add a partition label with the `-L` flag. Select a name that will help you identify this particular drive:
> **Note:** Make sure you provide the path to the partition and not the entire disk. In Linux, disks have names like `sda`, `sdb`, `hda`, etc. The partitions on these disks have a number appended to the end. So you would want to use something like `sda1`, not `sda`.
```
sudo mkfs.ext4 -L datapartition /dev/sda1
```
If you want to change the partition label later on, you can use the `e2label` command:
```
sudo e2label /dev/sda1 newlabel
```
You can see all of the different ways to identify your partition with `lsblk`. You should find the name, label, and UUID of the partition.
Some versions of `lsblk` will print all of this information with the `--fs` argument:
```
sudo lsblk --fs
```
You can also specify them manually with `lsblk -o` followed by the relevant options:
```
sudo lsblk -o NAME,FSTYPE,LABEL,UUID,MOUNTPOINT
```
You should receive output like this. The highlighted output indicate different methods you can use to refer to the new filesystem:
```
OutputNAME FSTYPE LABEL UUID MOUNTPOINT
sda
└─sda1 ext4 datapartition 4b313333-a7b5-48c1-a957-d77d637e4fda
vda
└─vda1 ext4 DOROOT 050e1e34-39e6-4072-a03e-ae0bf90ba13a /
```
Make a note of this output, as youll use it when mounting the filesystem in the next step.
## [Step 5 — Mount the New Filesystem](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#step-5-mount-the-new-filesystem)[](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#step-5-mount-the-new-filesystem)
Now, you can mount the filesystem for use.
The [Filesystem Hierarchy Standard](http://refspecs.linuxfoundation.org/fhs.shtml) recommends using the `/mnt` directory or a subdirectory under it for temporarily mounted filesystems (like removable drives). It makes no recommendations on where to mount more permanent storage, so you can choose whichever scheme youd like. For this tutorial, youll mount the drive under `/mnt/data`.
Create that directory using `mkdir`:
```
sudo mkdir -p /mnt/data
```
### [Mounting the Filesystem Temporarily](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#mounting-the-filesystem-temporarily)[](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#mounting-the-filesystem-temporarily)
You can mount the filesystem temporarily by typing:
```
sudo mount -o defaults /dev/sda1 /mnt/data
```
### [Mounting the Filesystem Automatically at Boot](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#mounting-the-filesystem-automatically-at-boot)[](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#mounting-the-filesystem-automatically-at-boot)
In order to mount the filesystem automatically each time the server boots, youll add an entry to the `/etc/fstab` file. This file contains information about all of your systems permanent, or routinely mounted, disks. Open the file using `nano` or your favorite text editor:
```
sudo nano /etc/fstab
```
In the last step, you used the `sudo lsblk --fs` command to display identifiers for your filesystem. You can use any of these in this file. This example uses the partition _label_, but you can see what the lines would look like using the other two identifiers in the commented out lines:
##### /etc/fstab
```
. . .
## Use one of the identifiers you found to reference the correct partition
# /dev/sda1 /mnt/data ext4 defaults 0 2
# UUID=4b313333-a7b5-48c1-a957-d77d637e4fda /mnt/data ext4 defaults 0 2
LABEL=datapartition /mnt/data ext4 defaults 0 2
```
Beyond the `LABEL=datapartition` element, these options work as follows:
- `/mnt/data` is the path where the disk is being mounted.
- `ext4` connotes that this is an Ext4 partition.
- `defaults` means that this volume should be mounted with the default options, such as read-write support.
- `0 2` signifies that the filesystem should be validated by the local machine in case of errors, but as a `2`nd priority, after your root volume.
> **Note:** You can learn about the various fields in the `/etc/fstab` file by checking its [man page](https://linux.die.net/man/5/fstab) For information about the mount options available for a specific filesystem type, check `man [filesystem]` (like `man ext4`).
Save and close the file when you are finished. If you are using `nano`, press `Ctrl+X`, then when prompted to confirm, `Y` and then `Enter`.
If you did not mount the filesystem previously, you can now mount it with `mount -a`:
```
sudo mount -a
```
### [Testing the Mount](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#testing-the-mount)[](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#testing-the-mount)
After youve mounted the volume, we should check to make sure that the filesystem is accessible.
You can check if the disk is available in the output from the `df` command. Sometimes `df` will include unnecessary information about temporary filesystems called `tmpfs` in `df` output, which you can exclude by appending `-x tmpfs`:
```
df -h -x tmpfs
```
```
OutputFilesystem Size Used Avail Use% Mounted on
/dev/vda1 20G 1.3G 18G 7% /
/dev/sda1 99G 60M 94G 1% /mnt/data
```
You can also check that the disk mounted with read and write capabilities by writing to a test file:
```
echo "success" | sudo tee /mnt/data/test_file
```
Read the file back just to make sure the write executed correctly:
```
cat /mnt/data/test_file
```
```
Outputsuccess
```
You can remove the file after you have verified that the new filesystem is functioning correctly:
```
sudo rm /mnt/data/test_file
```
## [Conclusion](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#conclusion)[](https://www.digitalocean.com/community/tutorials/how-to-partition-and-format-storage-devices-in-linux#conclusion)
Your new drive should now be partitioned, formatted, mounted, and ready for use. This is the general process you can use to turn a raw disk into a filesystem that Linux can use for storage. There are more complex methods of partitioning, formatting, and mounting which may be more appropriate in some cases, but the above is a good starting point for general use.
Next, you may want to learn [how to use SSHFS to mount remote volumes over SSH](https://www.digitalocean.com/community/tutorials/how-to-use-sshfs-to-mount-remote-file-systems-over-ssh)

296
src/misc/how_to_set_up_a_firewall_with_ufw_on_ubuntu_20_04.md Normal file
View File

@ -0,0 +1,296 @@
---
title: backup of "complete guide to configuring ssh in ubuntu"
date: 2023-11-06
---
backup of "how to set up a firewall with ufw on ubuntu 20.04" by brian boucheron, published 5 may 2020. original post is [here](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04)
---
### [Introduction](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#introduction)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#introduction)
UFW, or Uncomplicated Firewall, is a simplified firewall management interface that hides the complexity of lower-level packet filtering technologies such as `iptables` and `nftables`. If youre looking to get started securing your network, and youre not sure which tool to use, UFW may be the right choice for you.
This tutorial will show you how to set up a firewall with UFW on Ubuntu 20.04.
## [Prerequisites](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#prerequisites)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#prerequisites)
To follow this tutorial, you will need:
- One Ubuntu 20.04 server with a sudo non-root user, which you can set up by following our [Initial Server Setup with Ubuntu 20.04 tutorial](https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-20-04).
UFW is installed by default on Ubuntu. If it has been uninstalled for some reason, you can install it with `sudo apt install ufw`.
## [Step 1 — Using IPv6 with UFW (Optional)](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-1-using-ipv6-with-ufw-optional)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-1-using-ipv6-with-ufw-optional)
This tutorial is written with IPv4 in mind, but will work for IPv6 as well as long as you enable it. If your Ubuntu server has IPv6 enabled, ensure that UFW is configured to support IPv6 so that it will manage firewall rules for IPv6 in addition to IPv4. To do this, open the UFW configuration with `nano` or your favorite editor.
```
sudo nano /etc/default/ufw
```
Then make sure the value of `IPV6` is `yes`. It should look like this:
/etc/default/ufw excerpt
```
IPV6=yes
```
Save and close the file. Now, when UFW is enabled, it will be configured to write both IPv4 and IPv6 firewall rules. However, before enabling UFW, we will want to ensure that your firewall is configured to allow you to connect via SSH. Lets start with setting the default policies.
## [Step 2 — Setting Up Default Policies](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-2-setting-up-default-policies)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-2-setting-up-default-policies)
If youre just getting started with your firewall, the first rules to define are your default policies. These rules control how to handle traffic that does not explicitly match any other rules. By default, UFW is set to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your server would not be able to connect, while any application within the server would be able to reach the outside world.
Lets set your UFW rules back to the defaults so we can be sure that youll be able to follow along with this tutorial. To set the defaults used by UFW, use these commands:
```
sudo ufw default deny incoming
sudo ufw default allow outgoing
```
These commands set the defaults to deny incoming and allow outgoing connections. These firewall defaults alone might suffice for a personal computer, but servers typically need to respond to incoming requests from outside users. Well look into that next.
## [Step 3 — Allowing SSH Connections](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-3-allowing-ssh-connections)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-3-allowing-ssh-connections)
If we enabled our UFW firewall now, it would deny all incoming connections. This means that we will need to create rules that explicitly allow legitimate incoming connections — SSH or HTTP connections, for example — if we want our server to respond to those types of requests. If youre using a cloud server, you will probably want to allow incoming SSH connections so you can connect to and manage your server.
To configure your server to allow incoming SSH connections, you can use this command:
```
sudo ufw allow ssh
```
This will create firewall rules that will allow all connections on port `22`, which is the port that the SSH daemon listens on by default. UFW knows what port `allow ssh` means because its listed as a service in the `/etc/services` file.
However, we can actually write the equivalent rule by specifying the port instead of the service name. For example, this command works the same as the one above:
```
sudo ufw allow 22
```
If you configured your SSH daemon to use a different port, you will have to specify the appropriate port. For example, if your SSH server is listening on port `2222`, you can use this command to allow connections on that port:
```
sudo ufw allow 2222
```
Now that your firewall is configured to allow incoming SSH connections, we can enable it.
## [Step 4 — Enabling UFW](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-4-enabling-ufw)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-4-enabling-ufw)
To enable UFW, use this command:
```
sudo ufw enable
```
You will receive a warning that says the command may disrupt existing SSH connections. We already set up a firewall rule that allows SSH connections, so it should be fine to continue. Respond to the prompt with `y` and hit `ENTER`.
The firewall is now active. Run the `sudo ufw status verbose` command to see the rules that are set. The rest of this tutorial covers how to use UFW in more detail, like allowing or denying different kinds of connections.
## [Step 5 — Allowing Other Connections](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-5-allowing-other-connections)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-5-allowing-other-connections)
At this point, you should allow all of the other connections that your server needs to respond to. The connections that you should allow depends on your specific needs. Luckily, you already know how to write rules that allow connections based on a service name or port; we already did this for SSH on port `22`. You can also do this for:
- HTTP on port 80, which is what unencrypted web servers use, using `sudo ufw allow http` or `sudo ufw allow 80`
- HTTPS on port 443, which is what encrypted web servers use, using `sudo ufw allow https` or `sudo ufw allow 443`
There are several others ways to allow other connections, aside from specifying a port or known service.
### [Specific Port Ranges](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#specific-port-ranges)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#specific-port-ranges)
You can specify port ranges with UFW. Some applications use multiple ports, instead of a single port.
For example, to allow X11 connections, which use ports `6000`-`6007`, use these commands:
```
sudo ufw allow 6000:6007/tcp
sudo ufw allow 6000:6007/udp
```
When specifying port ranges with UFW, you must specify the protocol (`tcp` or `udp`) that the rules should apply to. We havent mentioned this before because not specifying the protocol automatically allows both protocols, which is OK in most cases.
### [Specific IP Addresses](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#specific-ip-addresses)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#specific-ip-addresses)
When working with UFW, you can also specify IP addresses. For example, if you want to allow connections from a specific IP address, such as a work or home IP address of `203.0.113.4`, you need to specify `from`, then the IP address:
```
sudo ufw allow from 203.0.113.4
```
You can also specify a specific port that the IP address is allowed to connect to by adding `to any port` followed by the port number. For example, If you want to allow `203.0.113.4` to connect to port `22` (SSH), use this command:
```
sudo ufw allow from 203.0.113.4 to any port 22
```
### [Subnets](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#subnets)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#subnets)
If you want to allow a subnet of IP addresses, you can do so using CIDR notation to specify a netmask. For example, if you want to allow all of the IP addresses ranging from `203.0.113.1` to `203.0.113.254` you could use this command:
```
sudo ufw allow from 203.0.113.0/24
```
Likewise, you may also specify the destination port that the subnet `203.0.113.0/24` is allowed to connect to. Again, well use port `22` (SSH) as an example:
```
sudo ufw allow from 203.0.113.0/24 to any port 22
```
### [Connections to a Specific Network Interface](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#connections-to-a-specific-network-interface)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#connections-to-a-specific-network-interface)
If you want to create a firewall rule that only applies to a specific network interface, you can do so by specifying “allow in on” followed by the name of the network interface.
You may want to look up your network interfaces before continuing. To do so, use this command:
```
ip addr
```
```
Output Excerpt2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
. . .
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default
. . .
```
The highlighted output indicates the network interface names. They are typically named something like `eth0` or `enp3s2`.
So, if your server has a public network interface called `eth0`, you could allow HTTP traffic (port `80`) to it with this command:
```
sudo ufw allow in on eth0 to any port 80
```
Doing so would allow your server to receive HTTP requests from the public internet.
Or, if you want your MySQL database server (port `3306`) to listen for connections on the private network interface `eth1`, for example, you could use this command:
```
sudo ufw allow in on eth1 to any port 3306
```
This would allow other servers on your private network to connect to your MySQL database.
## [Step 6 — Denying Connections](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-6-denying-connections)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-6-denying-connections)
If you havent changed the default policy for incoming connections, UFW is configured to deny all incoming connections. Generally, this simplifies the process of creating a secure firewall policy by requiring you to create rules that explicitly allow specific ports and IP addresses through.
However, sometimes you will want to deny specific connections based on the source IP address or subnet, perhaps because you know that your server is being attacked from there. Also, if you want to change your default incoming policy to **allow** (which is not recommended), you would need to create **deny** rules for any services or IP addresses that you dont want to allow connections for.
To write **deny** rules, you can use the commands described above, replacing **allow** with **deny**.
For example, to deny HTTP connections, you could use this command:
```
sudo ufw deny http
```
Or if you want to deny all connections from `203.0.113.4` you could use this command:
```
sudo ufw deny from 203.0.113.4
```
Now lets take a look at how to delete rules.
## [Step 7 — Deleting Rules](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-7-deleting-rules)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-7-deleting-rules)
Knowing how to delete firewall rules is just as important as knowing how to create them. There are two different ways to specify which rules to delete: by rule number or by the actual rule (similar to how the rules were specified when they were created). Well start with the **delete by rule number** method because it is easier.
### [By Rule Number](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#by-rule-number)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#by-rule-number)
If youre using the rule number to delete firewall rules, the first thing youll want to do is get a list of your firewall rules. The UFW status command has an option to display numbers next to each rule, as demonstrated here:
```
sudo ufw status numbered
```
```
Numbered Output:Status: active
To Action From
-- ------ ----
[ 1] 22 ALLOW IN 15.15.15.0/24
[ 2] 80 ALLOW IN Anywhere
```
If we decide that we want to delete rule 2, the one that allows port 80 (HTTP) connections, we can specify it in a UFW delete command like this:
```
sudo ufw delete 2
```
This would show a confirmation prompt then delete rule 2, which allows HTTP connections. Note that if you have IPv6 enabled, you would want to delete the corresponding IPv6 rule as well.
### [By Actual Rule](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#by-actual-rule)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#by-actual-rule)
The alternative to rule numbers is to specify the actual rule to delete. For example, if you want to remove the `allow http` rule, you could write it like this:
```
sudo ufw delete allow http
```
You could also specify the rule by `allow 80`, instead of by service name:
```
sudo ufw delete allow 80
```
This method will delete both IPv4 and IPv6 rules, if they exist.
## [Step 8 — Checking UFW Status and Rules](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-8-checking-ufw-status-and-rules)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-8-checking-ufw-status-and-rules)
At any time, you can check the status of UFW with this command:
```
sudo ufw status verbose
```
If UFW is disabled, which it is by default, youll see something like this:
```
OutputStatus: inactive
```
If UFW is active, which it should be if you followed Step 3, the output will say that its active and it will list any rules that are set. For example, if the firewall is set to allow SSH (port `22`) connections from anywhere, the output might look something like this:
```
OutputStatus: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
```
Use the `status` command if you want to check how UFW has configured the firewall.
## [Step 9 — Disabling or Resetting UFW (optional)](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-9-disabling-or-resetting-ufw-optional)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#step-9-disabling-or-resetting-ufw-optional)
If you decide you dont want to use UFW, you can disable it with this command:
```
sudo ufw disable
```
Any rules that you created with UFW will no longer be active. You can always run `sudo ufw enable` if you need to activate it later.
If you already have UFW rules configured but you decide that you want to start over, you can use the reset command:
```
sudo ufw reset
```
This will disable UFW and delete any rules that were previously defined. Keep in mind that the default policies wont change to their original settings, if you modified them at any point. This should give you a fresh start with UFW.
## [Conclusion](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#conclusion)[](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-20-04#conclusion)
Your firewall is now configured to allow (at least) SSH connections. Be sure to allow any other incoming connections that your server needs, while limiting any unnecessary connections, so your server will be functional and secure.
To learn about more common UFW configurations, check out the [UFW Essentials: Common Firewall Rules and Commands](https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands) tutorial.