Autosave: 2025-02-16 15:17:25

neuron/5ce25cd2-1b2b-459a-bb58-283daadf8753/Disable_non-root_ssh_access.md

@@ -0,0 +1,27 @@
+---
+tags: [server-management, ssh, procedural, linux]
+created: Saturday, February 15, 2025
+---
+
+# Disable non-root SSH access
+
+Best practice is to:
+
+- Disallow root login
+- Block password-based login
+- Allow only SSH-based login
+
+Do this by editing `/etc/ssh/sshd_config`:
+
+```
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+```
+
+Then restart the SSH service:
+
+```
+sudo systemctl restart sshd
+```
+
+(Assumes you have already set-up SSH-based login for a non-root user!)

neuron/5ce25cd2-1b2b-459a-bb58-283daadf8753/Firewalls.md

@@ -1,5 +1,5 @@
 ---
-tags: [networks, server-management]
+tags: [networks, server-management, firewalls]
 created: Sunday, February 09, 2025
 ---
 
@@ -40,7 +40,7 @@ IPTables is the standard Linux software for managing firewalls. There is also
 Uncomplicated Firewall (UWF) which attaches to IPTables and simplifies the
 process.
 
-Another usefule software is Fail2ban which can automatically configure your
+Another useful software is Fail2ban which can automatically configure your
 firewall to block brute force login attempts and DDOS attacks.
 
 ## Difference from reverse proxies

neuron/5ce25cd2-1b2b-459a-bb58-283daadf8753/UFW_firewall_management.md

@@ -0,0 +1,55 @@
+---
+tags: [server-management, procedural, linux, firewalls]
+created: Sunday, February 16, 2025
+---
+
+# UFW firewall management
+
+`ufw` (Uncomplicated Firewall) simplifies the process of setting up firewalls on
+your server, without directly using `iptables`.
+
+```sh
+sudo apt install ufw
+```
+
+First we deny all incoming requests as the default:
+
+```sh
+ufw default deny incoming
+```
+
+And allow all outgoing requests as the default:
+
+```sh
+ufw default allow outgoing
+```
+
+Next we need to allow certain requests based on their port:
+
+| Port | Service | Rule  |
+| ---- | ------- | ----- |
+| 22   | SSH     | allow |
+| 80   | HTTP    | allow |
+| 443  | HTTPS   | allow |
+
+```sh
+sudo ufw allow 22/tcp
+sudo ufw allow 80/tcp
+sudo ufw allow 443/tcp
+```
+
+Enable:
+
+```sh
+ufw enable
+```
+
+Verify rules:
+
+```sh
+ufw status --verbose
+```
+
+```
+
+```

neuron/5ce25cd2-1b2b-459a-bb58-283daadf8753/index.md

@@ -13,15 +13,17 @@ computer science.
 
 <a href="https://thomasabishop.github.io/eolas/tags">View tags</a>
  
-**Build ID:** 666a9949-2ad4-4228-a102-35f508a9db5d
+**Build ID:** 5ce25cd2-1b2b-459a-bb58-283daadf8753
 
-**Published:** Tue 11 Feb 2025 18:11:45
+**Published:** Sun 16 Feb 2025 15:17:20
 
 ### Recent edits 
 
+- [[UFW_firewall_management]] 
+- [[Firewalls]] 
+- [[Disable_non-root_ssh_access]] 
 - [[Setup encrypted harddrive]] 
 - [[Disk_size_utilities]] 
-- [[Firewalls]] 
 - [[Let's_Encrypt]] 
 - [[Certificate_authorities]] 
 - [[HTTPS]] 
@@ -29,11 +31,9 @@ computer science.
 - [[e383b8b3_nginx_vs_traefik]] 
 - [[Proxies]] 
 - [[LineageOS_backup]] 
-- [[4dec6fe0_shadow_text]] 
-- [[c9d7492f_requerimiento]] 
 
 
-### All notes (528) 
+### All notes (530) 
 
 - [[0716531c_rewilding_the_internet]] 
 - [[241fe1a3_the_Web_versus_modem_BBSs]] 
@@ -174,6 +174,7 @@ computer science.
 - [[Devices]] 
 - [[Dictionaries_in_Python]] 
 - [[Difference_between_remote_origin_and_head]] 
+- [[Disable_non-root_ssh_access]] 
 - [[Disjunction_Elimination]] 
 - [[Disjunction_Introduction]] 
 - [[Disk_info]] 
@@ -494,6 +495,7 @@ computer science.
 - [[Type_guarding_and_narrowing_in_TS]] 
 - [[Type_hinting]] 
 - [[Typing_built_in_React_hooks]] 
+- [[UFW_firewall_management]] 
 - [[Union_types_in_TS]] 
 - [[Unknown_type_in_TS]] 
 - [[Update_a_Mongo_document]] 

neuron/5ce25cd2-1b2b-459a-bb58-283daadf8753/tags.md

@@ -4,7 +4,7 @@ unlisted: true
 ---
 
 # Tags
-[algebra](./tags#algebra), [algorithms](./tags#algorithms), [analogue](./tags#analogue), [android](./tags#android), [APIs](./tags#APIs), [arch-linux](./tags#arch-linux), [arithmetic](./tags#arithmetic), [ARPA](./tags#ARPA), [ARPANET](./tags#ARPANET), [awk](./tags#awk), [AWS](./tags#AWS), [aws-lambda](./tags#aws-lambda), [binary](./tags#binary), [bulletin-boards](./tags#bulletin-boards), [bus](./tags#bus), [C](./tags#C), [computer-architecture](./tags#computer-architecture), [computer-history](./tags#computer-history), [containerization](./tags#containerization), [CPU](./tags#CPU), [cryptography](./tags#cryptography), [csv](./tags#csv), [data-structures](./tags#data-structures), [data-types](./tags#data-types), [databases](./tags#databases), [design-patterns](./tags#design-patterns), [disks](./tags#disks), [docker](./tags#docker), [dynamodb](./tags#dynamodb), [ecopolsoc](./tags#ecopolsoc), [electricity](./tags#electricity), [electromagnetism](./tags#electromagnetism), [electronics](./tags#electronics), [encryption](./tags#encryption), [exponents](./tags#exponents), [file-system](./tags#file-system), [fleeting](./tags#fleeting), [fractions](./tags#fractions), [git](./tags#git), [graphql](./tags#graphql), [hardware](./tags#hardware), [IaC](./tags#IaC), [internet](./tags#internet), [javascript](./tags#javascript), [jest](./tags#jest), [json](./tags#json), [JSON](./tags#JSON), [kernel](./tags#kernel), [Linux](./tags#Linux), [linux](./tags#linux), [literature](./tags#literature), [logic](./tags#logic), [logic-gates](./tags#logic-gates), [memory](./tags#memory), [Microsoft](./tags#Microsoft), [middleware](./tags#middleware), [modems](./tags#modems), [mongo-db](./tags#mongo-db), [mongoose](./tags#mongoose), [nand-to-tetris](./tags#nand-to-tetris), [network-protocols](./tags#network-protocols), [networks](./tags#networks), [node-js](./tags#node-js), [number-systems](./tags#number-systems), [number-theory](./tags#number-theory), [OOP](./tags#OOP), [operating-systems](./tags#operating-systems), [packet-switching](./tags#packet-switching), [physics](./tags#physics), [ports](./tags#ports), [prealgebra](./tags#prealgebra), [privacy](./tags#privacy), [procedural](./tags#procedural), [propositional-logic](./tags#propositional-logic), [proxies](./tags#proxies), [python](./tags#python), [question](./tags#question), [raspberry-pi](./tags#raspberry-pi), [react](./tags#react), [recursion](./tags#recursion), [regex](./tags#regex), [REST](./tags#REST), [S3](./tags#S3), [server-management](./tags#server-management), [set-theory](./tags#set-theory), [shell](./tags#shell), [SNS](./tags#SNS), [sound](./tags#sound), [SQL](./tags#SQL), [SQLite](./tags#SQLite), [SQS](./tags#SQS), [storage](./tags#storage), [surveillance-capitalism](./tags#surveillance-capitalism), [systemd](./tags#systemd), [systems-programming](./tags#systems-programming), [testing](./tags#testing), [theorems](./tags#theorems), [theory-of-computation](./tags#theory-of-computation), [time](./tags#time), [TOR](./tags#TOR), [Turing](./tags#Turing), [typescript](./tags#typescript), [unix](./tags#unix), [world-wide-web](./tags#world-wide-web), [yaml](./tags#yaml), 
+[algebra](./tags#algebra), [algorithms](./tags#algorithms), [analogue](./tags#analogue), [android](./tags#android), [APIs](./tags#APIs), [arch-linux](./tags#arch-linux), [arithmetic](./tags#arithmetic), [ARPA](./tags#ARPA), [ARPANET](./tags#ARPANET), [awk](./tags#awk), [AWS](./tags#AWS), [aws-lambda](./tags#aws-lambda), [binary](./tags#binary), [bulletin-boards](./tags#bulletin-boards), [bus](./tags#bus), [C](./tags#C), [computer-architecture](./tags#computer-architecture), [computer-history](./tags#computer-history), [containerization](./tags#containerization), [CPU](./tags#CPU), [cryptography](./tags#cryptography), [csv](./tags#csv), [data-structures](./tags#data-structures), [data-types](./tags#data-types), [databases](./tags#databases), [design-patterns](./tags#design-patterns), [disks](./tags#disks), [docker](./tags#docker), [dynamodb](./tags#dynamodb), [ecopolsoc](./tags#ecopolsoc), [electricity](./tags#electricity), [electromagnetism](./tags#electromagnetism), [electronics](./tags#electronics), [encryption](./tags#encryption), [exponents](./tags#exponents), [file-system](./tags#file-system), [firewalls](./tags#firewalls), [fleeting](./tags#fleeting), [fractions](./tags#fractions), [git](./tags#git), [graphql](./tags#graphql), [hardware](./tags#hardware), [IaC](./tags#IaC), [internet](./tags#internet), [javascript](./tags#javascript), [jest](./tags#jest), [json](./tags#json), [JSON](./tags#JSON), [kernel](./tags#kernel), [Linux](./tags#Linux), [linux](./tags#linux), [literature](./tags#literature), [logic](./tags#logic), [logic-gates](./tags#logic-gates), [memory](./tags#memory), [Microsoft](./tags#Microsoft), [middleware](./tags#middleware), [modems](./tags#modems), [mongo-db](./tags#mongo-db), [mongoose](./tags#mongoose), [nand-to-tetris](./tags#nand-to-tetris), [network-protocols](./tags#network-protocols), [networks](./tags#networks), [node-js](./tags#node-js), [number-systems](./tags#number-systems), [number-theory](./tags#number-theory), [OOP](./tags#OOP), [operating-systems](./tags#operating-systems), [packet-switching](./tags#packet-switching), [physics](./tags#physics), [ports](./tags#ports), [prealgebra](./tags#prealgebra), [privacy](./tags#privacy), [procedural](./tags#procedural), [propositional-logic](./tags#propositional-logic), [proxies](./tags#proxies), [python](./tags#python), [question](./tags#question), [raspberry-pi](./tags#raspberry-pi), [react](./tags#react), [recursion](./tags#recursion), [regex](./tags#regex), [REST](./tags#REST), [S3](./tags#S3), [server-management](./tags#server-management), [set-theory](./tags#set-theory), [shell](./tags#shell), [SNS](./tags#SNS), [sound](./tags#sound), [SQL](./tags#SQL), [SQLite](./tags#SQLite), [SQS](./tags#SQS), [ssh](./tags#ssh), [storage](./tags#storage), [surveillance-capitalism](./tags#surveillance-capitalism), [systemd](./tags#systemd), [systems-programming](./tags#systems-programming), [testing](./tags#testing), [theorems](./tags#theorems), [theory-of-computation](./tags#theory-of-computation), [time](./tags#time), [TOR](./tags#TOR), [Turing](./tags#Turing), [typescript](./tags#typescript), [unix](./tags#unix), [world-wide-web](./tags#world-wide-web), [yaml](./tags#yaml), 
 
 ### algebra 
 
@@ -385,6 +385,10 @@ unlisted: true
 - [[Reading_files_in_Python]] 
 - [[Working_with_directories_in_Python]] 
 - [[Writing_to_files_in_Python]] 
+### firewalls 
+
+- [[Firewalls]] 
+- [[UFW_firewall_management]] 
 ### fleeting 
 
 - [[385af4b4_Baran_distributed_networks]] 
@@ -534,8 +538,10 @@ unlisted: true
 - [[VirtualMemory]] 
 ### linux 
 
+- [[Disable_non-root_ssh_access]] 
 - [[Disk_size_utilities]] 
 - [[LineageOS_backup]] 
+- [[UFW_firewall_management]] 
 ### literature 
 
 - [[The_History_of_Computing_Swade]] 
@@ -842,6 +848,7 @@ unlisted: true
 - [[Compile_Python_app_to_single_executable]] 
 - [[Create_timed_systemd_job]] 
 - [[Cron]] 
+- [[Disable_non-root_ssh_access]] 
 - [[Disk_info]] 
 - [[Disk_size_utilities]] 
 - [[Effective_logging_in_Git]] 
@@ -866,6 +873,7 @@ unlisted: true
 - [[Symlinks]] 
 - [[systemd]] 
 - [[systemd_status]] 
+- [[UFW_firewall_management]] 
 - [[User_management_in_Linux]] 
 - [[View_IP_addresses]] 
 - [[Working_with_directories_in_Python]] 
@@ -1015,9 +1023,11 @@ unlisted: true
 ### server-management 
 
 - [[Certificate_authorities]] 
+- [[Disable_non-root_ssh_access]] 
 - [[Firewalls]] 
 - [[HTTPS]] 
 - [[Let's_Encrypt]] 
+- [[UFW_firewall_management]] 
 ### set-theory 
 
 - [[Axioms_of_set_theory]] 
@@ -1105,6 +1115,9 @@ unlisted: true
 - [[AWS_SNS]] 
 - [[AWS_SQS]] 
 - [[AWS_SQS_SDK]] 
+### ssh 
+
+- [[Disable_non-root_ssh_access]] 
 ### storage 
 
 - [[Magnetic_tape]] 

zk/Disable_non-root_ssh_access.md

@@ -0,0 +1,27 @@
+---
+tags: [server-management, ssh, procedural, linux]
+created: Saturday, February 15, 2025
+---
+
+# Disable non-root SSH access
+
+Best practice is to:
+
+- Disallow root login
+- Block password-based login
+- Allow only SSH-based login
+
+Do this by editing `/etc/ssh/sshd_config`:
+
+```
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+```
+
+Then restart the SSH service:
+
+```
+sudo systemctl restart sshd
+```
+
+(Assumes you have already set-up SSH-based login for a non-root user!)

zk/Firewalls.md

@@ -1,5 +1,5 @@
 ---
-tags: [networks, server-management]
+tags: [networks, server-management, firewalls]
 created: Sunday, February 09, 2025
 ---
 
@@ -9,7 +9,7 @@ A firewall is a server mechanism that filters incoming requests for resources
 and services that it hosts.
 
 Based on data about the requester, derived from the
-[TLS](/zk/Transport_Layer_of_Internet_Protocol.md) packet headers, the firewall
+[TLS](./Transport_Layer_of_Internet_Protocol.md) packet headers, the firewall
 decides whether or not to grant access to the requested resource.
 
 It will typically comprise three actions:
@@ -40,7 +40,7 @@ IPTables is the standard Linux software for managing firewalls. There is also
 Uncomplicated Firewall (UWF) which attaches to IPTables and simplifies the
 process.
 
-Another usefule software is Fail2ban which can automatically configure your
+Another useful software is Fail2ban which can automatically configure your
 firewall to block brute force login attempts and DDOS attacks.
 
 ## Difference from reverse proxies

zk/UFW_firewall_management.md

@@ -0,0 +1,55 @@
+---
+tags: [server-management, procedural, linux, firewalls]
+created: Sunday, February 16, 2025
+---
+
+# UFW firewall management
+
+`ufw` (Uncomplicated Firewall) simplifies the process of setting up firewalls on
+your server, without directly using `iptables`.
+
+```sh
+sudo apt install ufw
+```
+
+First we deny all incoming requests as the default:
+
+```sh
+ufw default deny incoming
+```
+
+And allow all outgoing requests as the default:
+
+```sh
+ufw default allow outgoing
+```
+
+Next we need to allow certain requests based on their port:
+
+| Port | Service | Rule  |
+| ---- | ------- | ----- |
+| 22   | SSH     | allow |
+| 80   | HTTP    | allow |
+| 443  | HTTPS   | allow |
+
+```sh
+sudo ufw allow 22/tcp
+sudo ufw allow 80/tcp
+sudo ufw allow 443/tcp
+```
+
+Enable:
+
+```sh
+ufw enable
+```
+
+Verify rules:
+
+```sh
+ufw status --verbose
+```
+
+```
+
+```