Server Guides: Difference between revisions

Line 25:

* '''Firewall''': Configure a firewall to control incoming and outgoing traffic.

* '''Regular Updates''': Ensure the server and all software are regularly updated.

* '''Split Disks''': Separate ~~<pre>~~/tmp~~</pre>~~ and ~~<pre>~~/var~~</pre>~~ partitions with ~~<pre>~~noexec~~</pre>~~ flag.

* '''Split Disks''': Separate */tmp* and */var* partitions with *noexec* flag.

* '''Log Monitoring''': Regularly monitor server logs for suspicious activities.

* '''Privilege Escalation Mitigation''': Use ~~<pre>~~sysctl~~</pre>~~ variables and kernel parameters to mitigate privilege escalation.

* '''Privilege Escalation Mitigation''': Use *sysctl* variables and kernel parameters to mitigate privilege escalation.

* '''Audit''': Regularly audit the server using tools like ~~<pre>~~rkhunter~~</pre>~~ and ~~<pre>~~debsecan~~</pre>~~.

* '''Audit''': Regularly audit the server using tools like *rkhunter* and *debsecan*.

* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).

Line 34:

* '''Data Encryption''': Encrypt all data communication.

** Use ~~<pre>~~scp~~</pre>~~, ~~<pre>~~ssh~~</pre>~~, ~~<pre>~~rsync~~</pre>~~, or ~~<pre>~~sftp~~</pre>~~ for file transfer.

** Use *scp*, *ssh*, *rsync*, or *sftp* for file transfer.

** Consider VPNs like OpenVPN or tinc for secure connections.

* '''Service Management''':

Line 41:

* '''Kernel and Software Updates''':

** Apply all security patches promptly.

** Consider using tools like ~~<pre>~~apticron~~</pre>~~ for Debian-based systems.

** Consider using tools like *apticron* for Debian-based systems.

* '''Linux Security Extensions''':

** Enable SELinux or other security extensions to enforce limitations on applications.

* '''User Accounts and Password Policies''':

** Enforce strong password policies.

** Use tools like ~~<pre>~~pam_cracklib~~</pre>~~ to enforce password strength.

** Use tools like *pam_cracklib* to enforce password strength.

** Set up password aging policies using ~~<pre>~~chage~~</pre>~~.

** Set up password aging policies using *chage*.

* '''Fail2ban''':

** Install and configure Fail2ban to block IP addresses after failed login attempts.

* '''Disable Unwanted Services''':

** Disable unnecessary services and daemons.

** Use ~~<pre>~~systemctl~~</pre>~~ to manage services on modern Linux distributions.

** Use *systemctl* to manage services on modern Linux distributions.

* '''Network Security''':

** Use ~~<pre>~~iptables~~</pre>~~ or ~~<pre>~~firewalld~~</pre>~~ to manage firewall rules.

** Use *iptables* or *firewalld* to manage firewall rules.

** Use tools like ~~<pre>~~nmap~~</pre>~~ to scan open ports.

** Use tools like *nmap* to scan open ports.

* '''File System Security''':

** Separate critical file systems into different partitions with appropriate mount options (~~<pre>~~noexec~~</pre>~~, ~~<pre>~~nodev~~</pre>~~, ~~<pre>~~nosuid~~</pre>~~).

** Separate critical file systems into different partitions with appropriate mount options (*noexec*, *nodev*, *nosuid*).

* '''Regular Backups''':

** Implement regular, encrypted backups to an offsite location.

@@ Line 25: / Line 25: @@
 * '''Firewall''': Configure a firewall to control incoming and outgoing traffic.
 * '''Regular Updates''': Ensure the server and all software are regularly updated.
-* '''Split Disks''': Separate <pre>/tmp</pre> and <pre>/var</pre> partitions with <pre>noexec</pre> flag.
+* '''Split Disks''': Separate */tmp* and */var* partitions with *noexec* flag.
 * '''Log Monitoring''': Regularly monitor server logs for suspicious activities.
-* '''Privilege Escalation Mitigation''': Use <pre>sysctl</pre> variables and kernel parameters to mitigate privilege escalation.
+* '''Privilege Escalation Mitigation''': Use *sysctl* variables and kernel parameters to mitigate privilege escalation.
-* '''Audit''': Regularly audit the server using tools like <pre>rkhunter</pre> and <pre>debsecan</pre>.
+* '''Audit''': Regularly audit the server using tools like *rkhunter* and *debsecan*.
 * '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).
@@ Line 34: / Line 34: @@
 * '''Data Encryption''': Encrypt all data communication.
-** Use <pre>scp</pre>, <pre>ssh</pre>, <pre>rsync</pre>, or <pre>sftp</pre> for file transfer.
+** Use *scp*, *ssh*, *rsync*, or *sftp* for file transfer.
 ** Consider VPNs like OpenVPN or tinc for secure connections.
 * '''Service Management''':
@@ Line 41: / Line 41: @@
 * '''Kernel and Software Updates''':
 ** Apply all security patches promptly.
-** Consider using tools like <pre>apticron</pre> for Debian-based systems.
+** Consider using tools like *apticron* for Debian-based systems.
 * '''Linux Security Extensions''':
 ** Enable SELinux or other security extensions to enforce limitations on applications.
 * '''User Accounts and Password Policies''':
 ** Enforce strong password policies.
-** Use tools like <pre>pam_cracklib</pre> to enforce password strength.
+** Use tools like *pam_cracklib* to enforce password strength.
-** Set up password aging policies using <pre>chage</pre>.
+** Set up password aging policies using *chage*.
 * '''Fail2ban''':
 ** Install and configure Fail2ban to block IP addresses after failed login attempts.
 * '''Disable Unwanted Services''':
 ** Disable unnecessary services and daemons.
-** Use <pre>systemctl</pre> to manage services on modern Linux distributions.
+** Use *systemctl* to manage services on modern Linux distributions.
 * '''Network Security''':
-** Use <pre>iptables</pre> or <pre>firewalld</pre> to manage firewall rules.
+** Use *iptables* or *firewalld* to manage firewall rules.
-** Use tools like <pre>nmap</pre> to scan open ports.
+** Use tools like *nmap* to scan open ports.
 * '''File System Security''':
-** Separate critical file systems into different partitions with appropriate mount options (<pre>noexec</pre>, <pre>nodev</pre>, <pre>nosuid</pre>).
+** Separate critical file systems into different partitions with appropriate mount options (*noexec*, *nodev*, *nosuid*).
 * '''Regular Backups''':
 ** Implement regular, encrypted backups to an offsite location.