Server Guides: Difference between revisions

Line 1:

~~~~

= Server Guides =

~~~~

== Community Server Guides ==

Line 12:

Line 10:

* Proxmox

~~~~

== Best Practices to Secure Servers in 2024 ==

Line 20:

Line 17:

* [https://www.cyberciti.biz/tips/linux-security.html Cyberciti Linux Security Tips]

~~~~

=== General Security Practices ===

Line 35:

Line 31:

* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).

~~~~

=== Detailed Security Measures ===

* '''Data Encryption''': Encrypt all data communication.

1. Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.

## Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.

2. Consider VPNs like OpenVPN or tinc for secure connections.

## Consider VPNs like OpenVPN or tinc for secure connections.

* '''Service Management''':

1. Avoid using insecure services like FTP, Telnet, and Rsh.

## Avoid using insecure services like FTP, Telnet, and Rsh.

2. Minimize installed software to reduce vulnerability.

## Minimize installed software to reduce vulnerability.

* '''Kernel and Software Updates''':

1. Apply all security patches promptly.

## Apply all security patches promptly.

2. Consider using tools like <code>apticron</code> for Debian-based systems.

## Consider using tools like <code>apticron</code> for Debian-based systems.

* '''Linux Security Extensions''':

1. Enable SELinux or other security extensions to enforce limitations on applications.

## Enable SELinux or other security extensions to enforce limitations on applications.

* '''User Accounts and Password Policies''':

1. Enforce strong password policies.

## Enforce strong password policies.

2. Use tools like <code>pam_cracklib</code> to enforce password strength.

## Use tools like <code>pam_cracklib</code> to enforce password strength.

3. Set up password aging policies using <code>chage</code>.

## Set up password aging policies using <code>chage</code>.

* '''Fail2ban''':

1. Install and configure Fail2ban to block IP addresses after failed login attempts.

## Install and configure Fail2ban to block IP addresses after failed login attempts.

* '''Disable Unwanted Services''':

1. Disable unnecessary services and daemons.

## Disable unnecessary services and daemons.

2. Use <code>systemctl</code> to manage services on modern Linux distributions.

## Use <code>systemctl</code> to manage services on modern Linux distributions.

* '''Network Security''':

1. Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.

## Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.

2. Use tools like <code>nmap</code> to scan open ports.

## Use tools like <code>nmap</code> to scan open ports.

* '''File System Security''':

1. Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).

## Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).

* '''Regular Backups''':

1. Implement regular, encrypted backups to an offsite location.

## Implement regular, encrypted backups to an offsite location.

* '''Intrusion Detection Systems (IDS)''':

1. Use tools like AIDE and RKHunter for host-based intrusion detection.

## Use tools like AIDE and RKHunter for host-based intrusion detection.

* '''Secure SSH Configuration''':

1. Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring ~~fail2ban~~).

## Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).

[[Category:Self-hosting]]

[[Category:Guides]]

[[Category:Server]]

[[Category:Network]]

@@ Line 1: / Line 1: @@
-<span id="server-guides"></span>
 = Server Guides =
-<span id="community-server-guides"></span>
 == Community Server Guides ==
@@ Line 12: / Line 10: @@
 * Proxmox
-<span id="best-practices-to-secure-servers-in-2024"></span>
 == Best Practices to Secure Servers in 2024 ==
@@ Line 20: / Line 17: @@
 * [https://www.cyberciti.biz/tips/linux-security.html Cyberciti Linux Security Tips]
-<span id="general-security-practices"></span>
 === General Security Practices ===
@@ Line 35: / Line 31: @@
 * '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).
-<span id="detailed-security-measures"></span>
 === Detailed Security Measures ===
 * '''Data Encryption''': Encrypt all data communication.
-. Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.
+## Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.
-. Consider VPNs like OpenVPN or tinc for secure connections.
+## Consider VPNs like OpenVPN or tinc for secure connections.
 * '''Service Management''':
-. Avoid using insecure services like FTP, Telnet, and Rsh.
+## Avoid using insecure services like FTP, Telnet, and Rsh.
-. Minimize installed software to reduce vulnerability.
+## Minimize installed software to reduce vulnerability.
 * '''Kernel and Software Updates''':
-. Apply all security patches promptly.
+## Apply all security patches promptly.
-. Consider using tools like <code>apticron</code> for Debian-based systems.
+## Consider using tools like <code>apticron</code> for Debian-based systems.
 * '''Linux Security Extensions''':
-. Enable SELinux or other security extensions to enforce limitations on applications.
+## Enable SELinux or other security extensions to enforce limitations on applications.
 * '''User Accounts and Password Policies''':
-. Enforce strong password policies.
+## Enforce strong password policies.
-. Use tools like <code>pam_cracklib</code> to enforce password strength.
+## Use tools like <code>pam_cracklib</code> to enforce password strength.
-. Set up password aging policies using <code>chage</code>.
+## Set up password aging policies using <code>chage</code>.
 * '''Fail2ban''':
-. Install and configure Fail2ban to block IP addresses after failed login attempts.
+## Install and configure Fail2ban to block IP addresses after failed login attempts.
 * '''Disable Unwanted Services''':
-. Disable unnecessary services and daemons.
+## Disable unnecessary services and daemons.
-. Use <code>systemctl</code> to manage services on modern Linux distributions.
+## Use <code>systemctl</code> to manage services on modern Linux distributions.
 * '''Network Security''':
-. Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.
+## Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.
-. Use tools like <code>nmap</code> to scan open ports.
+## Use tools like <code>nmap</code> to scan open ports.
 * '''File System Security''':
-. Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).
+## Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).
 * '''Regular Backups''':
-. Implement regular, encrypted backups to an offsite location.
+## Implement regular, encrypted backups to an offsite location.
 * '''Intrusion Detection Systems (IDS)''':
-. Use tools like AIDE and RKHunter for host-based intrusion detection.
+## Use tools like AIDE and RKHunter for host-based intrusion detection.
 * '''Secure SSH Configuration''':
-. Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring fail2ban).
+## Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).
 [[Category:Self-hosting]]
 [[Category:Guides]]
 [[Category:Server]]
 [[Category:Network]]