iptables is the classic userspace interface to Netfilter. nftables is the modern replacement. Both write rules into kernel hook-points.ufw allow 22/tcp. The rules it generates are plain iptables under the hood.ufw allow 22/tcp before ufw enable. If you enable first, you cut your own SSH connection. On cloud instances, console access is your only recovery path.
nmap.ufw allow 8080/tcp comment 'dev API server'. A rule without a comment is a rule without an owner. Orphaned rules accumulate and no one removes them.PasswordAuthentication no in sshd_config once keys are deployed.pam_google_authenticator.so into /etc/pam.d/sshd.sshd_config, reload the daemon without dropping active connections:sudo systemctl reload sshd
sshd_config locks you out instantly.
sudo sshd -t — dry-runs the config and reports errors. Run this before every reload.
sudo apt install libpam-google-authenticator. Per user: run google-authenticator and scan the QR code into any TOTP app (Authy, Google Authenticator, 1Password). The secret is stored in ~/.google_authenticator.
sudo visudo is the safe editor for /etc/sudoers. Never edit it directly — a syntax error makes sudo inoperative system-wide. Use NOPASSWD: sparingly and only for specific commands, never ALL.
pam_tally2 (Ubuntu 20.04) or pam_faillock (Ubuntu 22.04+) tracks failed console logins. Lock after 5 failures: faillock --user alice --reset to unlock manually.
journalctl -u clamav-scan. Set OnCalendar=daily and Persistent=true so missed scans (e.g., during maintenance windows) run on next boot.
rkhunter --propupd immediately after a clean install to record system binary hashes. Future scans detect drift from that baseline. Never baseline a potentially-compromised system.curl https://bad-actor.io/install.sh | sudo bash bypasses every step of this chain. Never pipe unknown scripts into bash. Download, inspect, then run.
apt update
apt upgrade
apt install <pkg>
apt remove <pkg>
apt purge to also delete config files.apt search <term>
apt show <pkg> to see details including dependencies and size.apt autoremove
dpkg -l | grep <name>
dpkg -i pkg.deb installs a local .deb file. dpkg -L pkg lists all files owned by a package.checkinstall wraps make install so dpkg can track it.make install drops files across the filesystem with no record. checkinstall intercepts the installation, records every file placed, and creates a real .deb. The result: apt remove myapp cleans it up completely.
sudo apt install build-essential libssl-dev. The build-essential metapackage brings gcc, g++, make, and libc headers. Always read the project's INSTALL file first.
.asc signature alongside the tarball.gpg --verify myapp-2.4.1.tar.gz.asc
A mismatch means the tarball was tampered with or you fetched the wrong file.
ubuntu.com or vendor-published repos over community PPAs for production systems.
sudo apt install unattended-upgrades and configure /etc/apt/apt.conf.d/50unattended-upgrades to auto-apply security updates from Ubuntu's security repository. Non-security updates should be reviewed manually.
freshclam is just an updater.systemctl status sshd tells you if the daemon is alive. journalctl -u sshd -p warn shows every authentication warning without grep.Persistent=true catches missed scans, RequiresMountsFor= ensures storage is ready before scanning.grep "DENIED" /var/log/ufw.log, ss -tlnp to verify open ports, dpkg -l to audit installed packages.ufw enable before adding port 22. Result: terminal hangs, SSH connection drops, no way back in without console access.ufw allow 22/tcp first. Run ufw status and verify port 22 appears before enabling.~/.ssh/authorized_keys is populated. Instant lockout for all users including root.ssh-copy-id user@host. Test key login in a separate terminal. Then disable passwords and reload.clamscan / on a production server saturates I/O and CPU. Service degradation guaranteed.clamdscan (daemon-mode, faster) and schedule scans at 03:00. Scope scans to web roots and upload directories, not /.curl url | sudo bash bypasses GPG verification, package tracking, and dependency resolution in one command.curl -O install.sh && less install.sh && bash install.sh. Or better: use an official package repo.sudo ufw status verbose
nmap -sV 127.0.0.1
sudo sshd -T | grep passwordauth
sudo fail2ban-client status sshd
systemctl status clamav-daemon
clamdscan /usr/share/doc/clamav/
apt list --upgradable 2>/dev/null