Irregularpedia

Server Guides: Difference between revisions

← Older edit
VisualWikitext
formatting
 
(4 intermediate revisions by the same user not shown)
Line 4: Line 4:


* [[matrix-server-guide|Matrix Server Guide]]
* [[matrix-server-guide|Matrix Server Guide]]
* [[ssh-keys|Create SSH Keys]]
** Maubot Chatbot Guides
* SimpleX Server
* [[Service%20-%20storage%20-%20Nextcloud|Service - Storage - Nextcloud]]
* [[Service%20-%20storage%20-%20Nextcloud|Service - Storage - Nextcloud]]
* [[Authentik%20Installation|Authentik Installation]]
* [[Authentik%20Installation|Authentik Installation]]
* [[setting%20up%20cryptpad%20server|Setting Up Cryptpad Server]]
* [[setting%20up%20cryptpad%20server|Setting Up Cryptpad Server]]
* Proxmox
* Proxmox
* Clapper
* [[Linux Server Initial Setup]]
* [[Linux Server Storage]]


== Best Practices to Secure Servers in 2024 ==
== Best Practices to Secure Servers in 2024 ==
Line 20: Line 24:


* '''No Root Login''': Disable root login to enhance security.
* '''No Root Login''': Disable root login to enhance security.
* '''SSH Keys with Password''': Use SSH keys with a passphrase and disable password login.
* '''[[SSH Keys]] with Password''': Use SSH keys with a passphrase and disable password login.
* '''VPN Access''': Require VPN access to reach the SSH server.
* '''VPN Access''': VPN access is required to reach the SSH server.
* '''Firmware and Auto Updates''': Enable automatic updates for both firmware and software.
* '''Firmware and Auto Updates''': Enable automatic updates for both firmware and software.
* '''Firewall''': Configure a firewall to control incoming and outgoing traffic.
* '''Firewall''': Configure a firewall to control incoming and outgoing traffic.
* '''Regular Updates''': Ensure the server and all software are regularly updated.
* '''Regular Updates''': Ensure the server and all software are regularly updated.
* '''Split Disks''': Separate <pre>/tmp</pre> and <pre>/var</pre> partitions with <pre>noexec</pre> flag.
* '''Split Disks''': Separate ''/tmp'' and ''/var'' partitions with ''noexec'' flag.
* '''Log Monitoring''': Regularly monitor server logs for suspicious activities.
* '''Log Monitoring''': Regularly monitor server logs for suspicious activities.
* '''Privilege Escalation Mitigation''': Use <pre>sysctl</pre> variables and kernel parameters to mitigate privilege escalation.
* '''Privilege Escalation Mitigation''': Use ''sysctl'' variables and kernel parameters to mitigate privilege escalation.
* '''Audit''': Regularly audit the server using tools like <pre>rkhunter</pre> and <pre>debsecan</pre>.
* '''Audit''': Regularly audit the server using tools like ''rkhunter'' and ''debsecan''.
* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).
* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).


Line 34: Line 38:


* '''Data Encryption''': Encrypt all data communication.
* '''Data Encryption''': Encrypt all data communication.
** Use <pre>scp</pre>, <pre>ssh</pre>, <pre>rsync</pre>, or <pre>sftp</pre> for file transfer.
** Use ''scp'', ''ssh'', ''rsync'', rclone or ''sftp'' for file transfer.
** Consider VPNs like OpenVPN or tinc for secure connections.
** Consider reverse proxy (tail scale, Cloudflare) or wireguard.
* '''Service Management''':
* '''Service Management''':
** Avoid using insecure services like FTP, Telnet, and Rsh.
** Avoid using insecure services like FTP, Telnet, and Rsh.
Line 41: Line 45:
* '''Kernel and Software Updates''':
* '''Kernel and Software Updates''':
** Apply all security patches promptly.
** Apply all security patches promptly.
** Consider using tools like <pre>apticron</pre> for Debian-based systems.
*** Use an Ansible Script to patch multiple servers periodically including OS, docker, git, etc
* '''Linux Security Extensions''':
* '''Linux Security Extensions''':
** Enable SELinux or other security extensions to enforce limitations on applications.
** Enable SELinux or other security extensions to enforce limitations on applications.
* '''User Accounts and Password Policies''':
* '''User Accounts and Password Policies''':
** Enforce strong password policies.
** Enforce strong password policies.
** Use tools like <pre>pam_cracklib</pre> to enforce password strength.
** Use tools like ''pam_cracklib'' to enforce password strength.
** Set up password aging policies using <pre>chage</pre>.
** Set up password aging policies using ''chage''.
* '''Fail2ban''':
* '''Fail2ban''':
** Install and configure Fail2ban to block IP addresses after failed login attempts.
** Install and configure Fail2ban to block IP addresses after failed login attempts.
* '''Disable Unwanted Services''':
* '''Disable Unwanted Services''':
** Disable unnecessary services and daemons.
** Disable unnecessary services and daemons.
** Use <pre>systemctl</pre> to manage services on modern Linux distributions.
** Use ''systemctl'' to manage services on modern Linux distributions.
* '''Network Security''':
* '''Network Security''':
** Use <pre>iptables</pre> or <pre>firewalld</pre> to manage firewall rules.
** Use ''iptables'' or ''firewalld'' to manage firewall rules.
** Use tools like <pre>nmap</pre> to scan open ports.
** Use tools like ''nmap'' to scan open ports.
* '''File System Security''':
* '''File System Security''':
** Separate critical file systems into different partitions with appropriate mount options (<pre>noexec</pre>, <pre>nodev</pre>, <pre>nosuid</pre>).
** Separate critical file systems into different partitions with appropriate mount options (''noexec'', ''nodev'', ''nosuid'').
* '''Regular Backups''':
* '''Regular Backups''':
** Implement regular, encrypted backups to an offsite location.
** Implement regular, encrypted backups to an offsite location.
Retrieved from "https://irregularpedia.org/index.php/Server_Guides"