The firewall is already configured by DigitalOcean in my choice of droplet (Ubuntu 20.04 with WordPress). However if other services are to be added (in my case yes) the Ubuntu firewall needs to be configured. See below for some extra documentation links I referred to:
View current configuration:
ufw status
sudo ufw allow OpenSSH sudo ufw allow Postfix sudo ufw allow Apache Full
Out of interest, I checked the auth.log and found lots of scanning/testing/brute force attempts. While fail2ban should manage some of this (and in reality, with bot networks fail2ban is a bit futile here), the only real solution is mandatory key authentication. But I had some interest blocking the IPs from connecting to SSH anyway and seeing the differences in logs.
grep 'sshd.*Received disconnect from' auth.log | cut -d ' ' -f 9 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done grep 'sshd.*Connection closed by.*preauth' auth.log | cut -d ' ' -f 9 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done grep 'sshd.*Connection closed by invalid user' auth.log | cut -d ' ' -f 12 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done grep 'sshd.*Unable to negotiate with.*diffie-hellman-group1-sha1' auth.log | cut -d ' ' -f 10 | grep -ve [a-z] | sort | uniq | while read block_ip ; do ufw insert 1 deny from ${block_ip} to any port 22 ; done vi /etc/ufw/user.rules ufw status