Link Search Menu Expand Document


Table of contents

  1. Setup
    1. Setup SSH
    2. Install Firewall
    3. Install FTP server
    4. Cron - Job scheduler
    5. Cockpit - Remote administration of server
      1. Advanced configuration
    6. Install on VirtualBox
  2. Tips & Tricks
    1. Command-line kung-fu
      1. Screen Terminal Multiplexer
    2. CPU & Processes
    3. Services with systemctl
    4. Disk & Data
      1. View SMART disk data
      2. Test read/write speed
      3. Format & mount a USB stick
    5. Files
      1. Virtual Systems: Mount QCoW2
    6. Network & Internet
      1. Set up Let’s Encrypt with Cloudflare DNS
    7. Users & Groups
    8. OS-related
    9. Hardware-related
      1. Power & Battery
      2. BIOS
  3. Security
  4. Recover
    1. Check logs
    2. Bootloader
  5. KVM - Virtual Machines
    1. Setup KVM
    2. Manage VM

Please note: I mainly use Ubuntu Server, so your mileage may vary with other distros.


  • On a laptop: disable standby on lid close: in /etc/systemd/logind.conf, uncomment and change HandleLidSwitch=ignore

Setup SSH

  • Config lives in /etc/ssh/sshd_config
  • PermitRootLogin no to deny root to log in
  • AllowUsers toto to only allow toto to log in
  • sudo systemctl restart ssh to restart the service

Install Firewall

  • A good tutorial here
  • Install sudo apt install ufw
  • Configuration
    • Check status & list configuration sudo ufw status
    • Set default incoming to deny ufw default deny incoming and ufw default allow outgoing for instance
    • Allow a port sudo ufw allow PORT
    • Remove an allowance sudo ufw delete allow PORT or sudo ufw delete RULE_NUMBER
    • Rate limit a port (>6 connections within 30 sec) sudo ufw limit PORT
    • PORT can be replaced with a known app like SSH or specific protocol like PORT/tcp
    • Enable sudo ufw enable
    • On alpine rc-update add ufw default
  • Verify
    • Check added rules sudo ufw show added
    • Check existing rules with numbers sudo ufw status numbered
  • Enable sudo ufw enable

Install FTP server

  1. sudo apt install vsftpd
  2. sudo nano /etc/vsftpd.conf to edit configuration
  3. sudo ufw allow 21
  4. sudo systemctl restart vsftpd

Cron - Job scheduler

  • Edit cron of a user sudo crontab -e -u USER (-u to edit specific user)
  • Check if the cron expression is correct: crontab guru
  • Useful commands:
    • @reboot COMMAND

Cockpit - Remote administration of server

  1. sudo apt-get install cockpit and with:
    • cockpit-machines for KVM
    • cockpit-docker for Docker
  2. sudo ufw allow 9090
  3. sudo systemctl restart cockpit.socket
  4. If you cannot update packages, network manager may be in use, check with nmcli d
    • sudo systemctl disable network-manager.service
    • sudo systemctl stop network-manager.service

Advanced configuration

  • See this guide to change port. Create file and directory if needed.
  • Configuration file is /etc/cockpit/cockpit.conf, not created by default - see reference
  • Setup with Cloudflare Tunnel - Based on this blog post.
    1. Setup a Let’s Encrypt certificate below
    2. Setup a copy script - See example in Nextcloud
       echo "SSL certificates renewed"
       cp /etc/letsencrypt/live/$FQDN/fullchain.pem /etc/cockpit/ws-certs.d/$FQDN.crt
       cp /etc/letsencrypt/live/$FQDN/privkey.pem /etc/cockpit/ws-certs.d/$FQDN.key
       chown cockpit-ws:cockpit-ws /etc/cockpit/ws-certs.d/$FQDN.crt /etc/cockpit/ws-certs.d/$FQDN.key
       echo "Restarting Cockpit"
       systemctl restart cockpit
    3. Setup /etc/cockpit/cockpit.conf
       Origins = https://URL:PORT
       #ProtocolHeader = X-Forwarded-Proto
       AllowUnencrypted = false
       IdleTimeout = 10
    4. Setup Cloudflare Tunnel and Access

Install on VirtualBox

  1. Install gcc make perl packages
  2. Install Guest addition
  3. Disable animations gsettings set org.gnome.desktop.interface enable-animations false
  4. Allow user to access Shared Folder sudo adduser $USER vboxsf

Tips & Tricks

  • Date & Time
    • timedatectl to check
    • sudo timedatectl set-timezone TZ

Command-line kung-fu

  • less to redirect output to a pager
  • watch to watch regularly an output
  • | grep x to pipe to grep which is going to select lines with x
  • clear to clear the command line
  • Check this Ars introduction about redirection, grep, sed, awk.

Screen Terminal Multiplexer

Complete guide here

  • Start screen
  • List sessions ID screen -ls
  • In a session - Hotkey CTRL+A then:
    • d: Detach
    • [: Copy mode
      • Page-Up to scroll up, Page-Down to scroll down
      • Space to start selection and Space again to stop it
    • ]: Paste mode
    • :sessionname <Your_session_name>: Rename
  • Reattach screen -r session_ID

CPU & Processes

  • Check system stats
    • htop for processes
    • nmon for the whole system
  • Health
    • Check CPU frequency cat /proc/cpuinfo
  • System information dmidecode

Services with systemctl

  • Service management
    • sudo systemctl restart SERVICE
    • sudo systemctl start SERVICE
    • sudo systemctl stop SERVICE
    • sudo systemctl kill SERVICE
  • Service enable/disable
    • sudo systemctl enable SERVICE
    • sudo systemctl disable SERVICE
    • sudo systemctl is-enabled SERVICE
  • Services mask/unmask
    • sudo systemctl unmask SERVICE
    • sudo systemctl mask SERVICE
  • Service status
    • sudo systemctl list-timers
    • sudo systemctl status SERVICE

Disk & Data

  • Check free disk space df -h
  • Tree file & folder with space taken ncdu
  • Check for partition corruption fsck /dev/sdaXX00
  • Stop a disk
    1. Unmount sudo umount /dev/sdXX
    2. Spin down sudo hdparm -Y /dev/sdXX
  • Erase a disk sudo dd if=/dev/urandom of=/dev/sdXX bs=10M - Source

View SMART disk data


  1. Install smartmontools
  2. View SMART data & status sudo smartctl -i /dev/sdXX
  3. Find estimate & current SMART test sudo smartctl -c /dev/sdXX
  4. Launch a test: sudo smartctl -t short /dev/sdXX
    • Possible options instead of short:
    • long
    • conveyance (after transport) for ATA disks
    • If the HDD go to sleep (especially true for USB ones), try the following:

        while true; do
            dd if=/dev/sdXX iflag=direct count=1 of=/dev/null
            sleep 60
  5. Read the result sudo smartctl -l selftest /dev/sdXX

Test read/write speed


  1. sync; dd if=/dev/zero of=tempfile bs=1M count=256; sync: write to tempfile 256 Mb
  2. sudo /sbin/sysctl -w vm.drop_caches=3: clear the cache
  3. dd if=tempfile of=/dev/null bs=1M count=256: read tempfile

Format & mount a USB stick

  1. Several options to see devices
    • sudo blkid to locate block devices
    • sudo lsblk to list mounted block devices
    • ls /dev to check where the USB stick is mounted
  2. sudo fdisk /dev/sdXX
    1. p to list existing partition
    2. g to create a new GPT partition table or o for a DOS partition table
    3. n to create a new partition
    4. w write to disk and exit
  3. sudo mkfs.ext4 /dev/sdXX00 to create an ext4 partition
  4. sudo mkdir /media/usbdrive to create a directory that will host the partition
    • Choose /mnt for temporary mounts
    • Choose /media for automatics mounts
  5. sudo mount /dev/sdXX00 /media/usbdrive -o umask=000 to mount the USB key with all user access
  6. sudo umount /dev/sdXX00 to unmount
  7. If you want to make it permanent


  • zip -r ./ to zip current directory
  • tar -xvf file.tar.gz to extract tarball and zip (x for extract, v for verbose, f for file)
  • find / -name filename to find filename in entire system (/) or active folder (.), and sudo to avoid permissions problems

Virtual Systems: Mount QCoW2

  1. sudo apt install libguestfs-tools to install required tool
  2. sudo guestmount -a /var/lib/libvirt/images/IMAGE.qcow2 -m DEVICE --ro /mnt/FOLDER
    • DEVICE being the partition within this image. Make it bogus so a list will be shown
    • --ro if you only want read-only
  3. sudo guestunmount /mnt

Network & Internet

  • View current information (IP, netmask, …) ifconfig
    • Assign an IP to a network sudo ifconfig wlan0 netmask up for instance
  • Edit network configuration
    • with netplan /etc/netplan/00-installer-config.yaml
  • Disable IPv6 - Source

      sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
      sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
      sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1
  • Check Wi-Fi adapter status:
    • rfkill list wlan to list status
    • rfkill unblock wlan to unblock

Set up Let’s Encrypt with Cloudflare DNS

  • Source
  • See this documentation on Cloudflare certbot
    • cloudflare.ini can be placed in /etc/cloudflared
    • Define proper permission with chmod 400
  • Steps
    1. sudo snap install --classic certbot certbot-dns-cloudflare You may need to proceed with additional commands as explained in the console
    2. sudo ln -s /snap/bin/certbot /usr/bin/certbot
    3. sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d <EXAMPLE.COM>
    4. Automated renewal should be set up by the snap, check systemctl list-timers

Users & Groups

  • Users
    • useradd -m USERNAME add a new user with a Home directory (-m)
    • passwd USERNAME define a password
    • id $user to get user PUID & GUID
  • Groups
    • usermod -a -G GROUP $USER to add self to GROUP
    • cat /etc/group to list all groups
  • Setup SFTP for without Shell: nice tutorial from Digital Ocean
  • Know which OS, flavor or version you are running cat /etc/os-release
  • Install fonts, check package fonts-liberation - can help you to fix Fontconfig error: Cannot load default config file
  • Sometime reboot is not accessible … then use systemctl reboot

Power & Battery

  • Check system temperature
    1. sudo apt install lm-sensors
    2. sudo apt-get install lm-sensors
    3. sudo /etc/init.d/kmod start
    4. sensors
  • Check status & stats about battery
    1. List paths upower -e
    2. Get status upower -i <path>
  • Plan a reboot: shutdown -r 0:00 to restart at midnight for instance


  • Check BIOS version sudo dmidecode | less


Source:OVH, DigitalOcean, DigitalOcean

  • Change all account passwords
  • Regarding SSH
    • Disable all unnecessary users logins, like root - Example
    • Change default port (between 49152 and 65535) - Generator
    • Use SSH Keys instead of passwords
  • Regarding network
    • Configure firewall like ufw
    • Configure fail2ban
    • Configure an Intrusion Detection System - Example
  • Disable unneeded services - Example, sudo ss -atpu
  • Implement unattended upgrades and livepatch - Example
  • Regularly
    • Update software
    • Check logs
    • Check for malware - Example: maldet
    • Make backups


Check logs

  • System messages: cat /var/log/messages | tail -n 50


Try Super Grub2 Disk

KVM - Virtual Machines

Setup KVM

Based on this great tutorial by OSTechnix.

  1. Install QEMU and some other libs
    1. sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils
    2. systemctl status libvirtd - must be enabled and started
  2. Configure network bridge
    1. ip a list existing network, including virbr which is the preinstalled bridge
    2. Disable netfilter on bridge
      1. Create /etc/sysctl.d/bridge.conf and add the following

      2. Create /etc/udev/rules.d/99-bridge.rules and add ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", RUN+="/sbin/sysctl -p /etc/sysctl.d/bridge.conf"

    3. Remove default KVM bridge
      1. virsh net-destroy default
      2. virsh net-undefine default
      3. ip link check that virbr interfaces are gone
    4. Edit /etc/netplan/00-installer-config.yaml
      1. Backup first
      2. Add a new section under defined interface - Careful about the indentation

               interfaces: [ enp0s3 ]
               addresses: []
               mtu: 1500
                 addresses: [,]
                 stp: true
                 forward-delay: 4
               dhcp4: no
               dhcp6: no
           version: 2
      3. sudo netplan --debug apply apply
      4. ip a to check, also brctl show br0
    5. Configure KVM to use this bridge
      1. Edit host-bridge.xml somewhere and add:

           <forward mode="bridge"/>
           <bridge name="br0"/>
      2. virsh net-define host-bridge.xml
      3. virsh net-start host-bridge
      4. virsh net-autostart host-bridge
      5. virsh net-list --all to check

Manage VM

  • virt-install to create a Virtual Machine
  • sudo virsh --all
    • list to list VM
    • Status
      • start ID/Name
      • reboot ID/Name
      • suspend ID/Name
      • shutdown ID/Name
    • To edit a VM
      • edit ID/Name
    • To delete a VM
      1. undefine ID/Name
      2. sudo virsh destroy ID/Name