Friday, 10 July 2026

What is a UFW in ubuntu ?

UFW (Uncomplicated Firewall) is a user-friendly frontend for managing iptables/nftables firewall rules in Linux systems like Ubuntu and Debian.
Below is a structured reference to the most common UFW commands. Most configuration changes require sudo privileges.

1. General Management & Status

These commands let you control the firewall state and check current active rulesets.
  • Check status:
    sudo ufw status
    
  • Check detailed status (shows logging levels and default policies):
    sudo ufw status verbose
    
  • Enable the firewall (starts on system boot):
    sudo ufw enable
    
  • Disable the firewall:
    sudo ufw disable
    
  • Reload the firewall (applies modifications to configuration files):
    sudo ufw reload
    
  • Reset the firewall (deletes all rules and restores defaults):
    sudo ufw reset
    

2. Default Policies

Setting global policies determines how UFW treats traffic that doesn't match any specific rule. The standard recommended baseline is to block incoming and allow outgoing:
  • Block all incoming traffic by default:
    sudo ufw default deny incoming
    
  • Allow all outgoing traffic by default:
    sudo ufw default allow outgoing
    

3. Managing Port & Protocol Rules

You can open or close ports using service names (defined in /etc/services) or explicit port numbers. 
  • Allow a service by name (e.g., SSH):
    sudo ufw allow ssh
    
  • Allow a specific port (both TCP and UDP):
    sudo ufw allow 80
    
  • Allow a specific port and protocol (recommended):
    sudo ufw allow 443/tcp
    
  • Allow a specific port range (protocol required):
    sudo ufw allow 40000:50000/tcp
    
  • Deny traffic on a port:
    sudo ufw deny 25
    
  • Rate limit connections (useful for preventing brute force on SSH; caps at 6 connections per 30 seconds from a single IP):
    sudo ufw limit 22/tcp

4. IP-Based Filtering

To handle connections originating from specific network locations, use these commands:
  • Allow all traffic from a specific IP address:
    sudo ufw allow from 203.0.113.10
    
  • Block all traffic from a specific IP address:
    sudo ufw deny from 203.0.113.10
    
  • Allow an IP address to access a specific port:
    sudo ufw allow from 203.0.113.10 to any port 22
    
  • Allow an entire subnet (CIDR notation) to access a specific port:
    sudo ufw allow from 10.0.0.0/24 to any port 3306
    

5. Deleting Rules

There are two primary methods to remove rules you no longer need:
  • Delete by original specification: Duplicate the exact rule you added but prepend the word delete.
    sudo ufw delete allow 80/tcp
    
  • Delete by line number (Easiest for clean-up): First, list rules with assigned numbers:
    sudo ufw status numbered
    
    Then, delete using the corresponding index:
    sudo ufw delete 3
    

6. Application Profiles

Many packages (like Nginx, Apache, or OpenSSH) install profiles inside UFW to simplify rule management.
  • List available application profiles:
    sudo ufw app list
    
  • View details about a specific profile:
    sudo ufw app info "Nginx Full"
    
  • Allow an application profile:
    sudo ufw allow "OpenSSH"
    

7. Logging Options

  • Turn logging on/off:
    sudo ufw logging on
    sudo ufw logging off
    
  • Change log level granularity (low, medium, high, full):
    sudo ufw logging medium
    


Important Safety Warning: If you are configuring a remote server over SSH, always execute sudo ufw allow ssh or sudo ufw allow 22/tcp before running sudo ufw enable. Failing to do so will immediately lock you out of your server.

Thursday, 9 July 2026

What is getent command in linux ?

getent stands for "get entries".

It is a Linux command that retrieves entries from system databases configured in NSS (Name Service Switch). Instead of reading only local files like /etc/passwd, it queries the system's configured user/group sources (local files, LDAP, NIS, Active Directory integration, etc.).

Syntax

getent <database>

Common examples


Get all users

getent passwd

Output:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
dinesh:x:1000:1000:Dinesh:/home/dinesh:/bin/bash

Get a specific user

getent passwd dinesh

Output:

dinesh:x:1000:1000:Dinesh:/home/dinesh:/bin/bash

Get all groups

getent group

Get a specific group

getent group sudo

Output:

sudo:x:27:dinesh,admin

Get host information

getent hosts localhost

Output:

127.0.0.1 localhost


Why use getent passwd instead of cat /etc/passwd?

cat /etc/passwd

Only reads the local file.

getent passwd

Queries the system's user database, which may include:

  • Local users (/etc/passwd)
  • LDAP users
  • Active Directory users
  • NIS users

Therefore, getent is generally the recommended command for user lookups.

To list only usernames

getent passwd | cut -d: -f1

Example output:

root
daemon
ubuntu
dinesh

This is one of the most common commands to see all users known to an Ubuntu system.

How to display the users in a Ubunu linux ?

 On Ubuntu (or any Linux system), you can view all user accounts in several ways.

1. List all users from /etc/passwd

cat /etc/passwd

Or just display the usernames:

cut -d: -f1 /etc/passwd

Example output:

root
daemon
bin
sys
ubuntu
dinesh

2. Get all users from the system database

This method also works if users come from LDAP or other authentication services:

getent passwd

To show only usernames:

getent passwd | cut -d: -f1

3. List regular (human) users only

Most system accounts have UIDs below 1000. To show regular users:

awk -F: '$3 >= 1000 {print $1}' /etc/passwd

Example:

dinesh
john
alice

4. See currently logged-in users

who

or

w

Example:

dinesh pts/0 2026-07-09 09:00

5. Check users with sudo privileges

Members of the sudo group can run administrative commands:

getent group sudo

Or:

grep '^sudo:' /etc/group

6. Count total users

getent passwd | wc -l

7. Display users and their UID/GID

getent passwd | awk -F: '{print "User=" $1 ", UID=" $3 ", GID=" $4}'

This can help distinguish system users from normal users.


Most commonly used command:

getent passwd | cut -d: -f1

It lists all users known to the Ubuntu system.

What is fail2ban tool in linux ?

Fail2ban is a highly popular, open-source security tool in Linux that works hand-in-hand with your firewall (like UFW) and your SSH daemon (sshd) to protect your server from brute-force attacks. 

If your server has an open SSH port, automated bots across the internet will constantly attempt to guess your passwords. Fail2ban stops them automatically. 

How Fail2ban Works

  1. Log Monitoring: It constantly scans system log files (like /var/log/auth.log for SSH logins) looking for suspicious activity. 
  2. Detection: It counts automated patterns, such as multiple failed login attempts from the exact same IP address within a short time frame.
  3. Action (The "Ban"): Once an IP address hits a specified threshold (e.g., 5 failed attempts), Fail2ban automatically updates your firewall (UFW/iptables) rules to completely block that IP address for a set period of time. 

Essential Fail2ban Commands

For example, if you are working with Ubuntu, here are the most critical commands to install, manage, and monitor Fail2ban.

1. Installation & Service Management

Fail2ban does not come pre-installed on Ubuntu by default. You can install it using: 
sudo apt update
sudo apt install fail2ban -y
Once installed, manage its background service just like sshd: 
sudo systemctl status fail2ban    # Check if it's running
sudo systemctl restart fail2ban   # Restart after changing settings

2. Checking the Status (The Control Center)

Fail2ban organizes its protection rules into profiles called "Jails" (e.g., an sshd jail, an apache jail, etc.). You interact with them using the fail2ban-client command. 
  • See active protection modules (jails):
    sudo fail2ban-client status
    
  • See stats for a specific jail (e.g., SSH):
    This command shows you exactly how many times bots have tried to attack you, and lists the IP addresses currently locked out.
    sudo fail2ban-client status sshd
    

3. Banning and Unbanning IPs Manually

Sometimes you might accidentally lock yourself out of your own server by typing your password wrong too many times, or you might want to manually ban a malicious IP address. How to unban an IP address (Rescue yourself):
  • sudo fail2ban-client set sshd unbanip <IP_ADDRESS>
    
  • How to manually ban an IP address:
    sudo fail2ban-client set sshd banip <IP_ADDRESS>
    


How to Configure Fail2ban Securely

Never edit the default configuration file directly (/etc/fail2ban/jail.conf), because system updates will overwrite your changes. Instead, create a local copy: 
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open that new file using a text editor like nano: 
sudo nano /etc/fail2ban/jail.local
Look for the [DEFAULT] section to adjust your core thresholds:
  • ignoreip: Add your home or office IP address here (separated by spaces) so Fail2ban never accidentally bans you.
  • bantime: How long an IP stays blocked (e.g., 10m for 10 minutes, or 1d for a whole day).
  • findtime: The time window for mistakes (e.g., if a user fails maxretry times within 10m, ban them).
  • maxretry: The number of failed attempts allowed before the ban triggers (usually set between 3 and 5).

What is sshd in linux/unix environment ?

In Linux & Networking: Secure Shell Daemon

In computer networks and Linux/Unix systems, sshd is a crucial background software program:
  • What it does: The letters stand for Secure Shell daemon (in Linux, a "daemon" is simply a background process).
  • How it works: It runs continuously on a server, listening for incoming network connections via the Secure Shell (SSH) Protocol.
  • Purpose: When you want to securely log into your server or transfer files from a remote location, sshd is the program that catches your request, handles user authentication, and encrypts the entire communication tunnel.

Managing the sshd Service

On modern Linux distributions (such as Ubuntu, Debian, CentOS, RHEL, and Fedora), you manage the background process using systemctl. You will need root or sudo privileges to run these.
  • Check the service status: See if the daemon is currently running, stopped, or experiencing errors.
  • sudo systemctl status sshd
  • Start the service: Turn the SSH server on
    • sudo systemctl start sshd
  • Stop the service: Turn the SSH server off (Warning: This will disconnect active remote sessions once they close and prevent new ones).

    • sudo systemctl stop sshd


  • Reload the service: Applies configuration changes without dropping active user connections (safer than a full restart).

    • sudo systemctl reload sshd

  • Enable on boot: Ensure that sshd automatically starts up whenever the server reboots.

    • sudo systemctl enable sshd

  • Disable on boot: Prevents the SSH server from launching automatically when the system starts.
                sudo systemctl disable sshd

Testing Configuration Files


Before you restart your SSH server after making changes, you should always test your configuration file for syntax errors. If there is a typo, the server won't start, and you could get locked out.

Test syntax: Run the daemon in test mode. If it returns no output, your configuration is valid.

                    sudo sshd -t

Extended test mode: Checks the validity of the configuration file, prints the effective configuration options, and then exits.

                    sudo sshd -T

Locating Important Files


While these aren't execution commands, these file paths are critical when working with sshd:
  • Main Configuration File: /etc/ssh/sshd_config (Where you change ports, disable root logins, or configure key authentication).
  • System Logs: /var/log/auth.log (Ubuntu/Debian) or /var/log/secure (RHEL/CentOS). You can view unauthorized access attempts here using:
               sudo tail -f /var/log/auth.log

Checking Active Connections


  •     If you want to see who is currently connected to your server via sshd, you can use network monitoring tools:
                ps aux | grep sshd
  • See active network connections on the SSH port (usually 22):
                sudo ss -tulpn | grep sshd