Server Guides: Difference between revisions

From Irregularpedia
Jump to navigation Jump to search
← Older edit
VisualWikitext
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<span id="server-guides"></span>
= Server Guides =
= Server Guides =


<span id="community-server-guides"></span>
== Community Server Guides ==
== Community Server Guides ==


* [[matrix-server-guide|Matrix Server Guide]]
* [[matrix-server-guide|Matrix Server Guide]]
* [[ssh-keys|Create SSH Keys]]
** Maubot Chatbot Guides
* SimpleX Server
* [[Service%20-%20storage%20-%20Nextcloud|Service - Storage - Nextcloud]]
* [[Service%20-%20storage%20-%20Nextcloud|Service - Storage - Nextcloud]]
* [[Authentik%20Installation|Authentik Installation]]
* [[Authentik%20Installation|Authentik Installation]]
* [[setting%20up%20cryptpad%20server|Setting Up Cryptpad Server]]
* [[setting%20up%20cryptpad%20server|Setting Up Cryptpad Server]]
* Proxmox
* Proxmox
* Clapper
* [[Linux Server Initial Setup]]
* [[Linux Server Storage]]


<span id="best-practices-to-secure-servers-in-2024"></span>
== Best Practices to Secure Servers in 2024 ==
== Best Practices to Secure Servers in 2024 ==


Line 20: Line 21:
* [https://www.cyberciti.biz/tips/linux-security.html Cyberciti Linux Security Tips]
* [https://www.cyberciti.biz/tips/linux-security.html Cyberciti Linux Security Tips]


<span id="general-security-practices"></span>
=== General Security Practices ===
=== General Security Practices ===


* '''No Root Login''': Disable root login to enhance security.
* '''No Root Login''': Disable root login to enhance security.
* '''SSH Keys with Password''': Use SSH keys with a passphrase and disable password login.
* '''[[SSH Keys]] with Password''': Use SSH keys with a passphrase and disable password login.
* '''VPN Access''': Require VPN access to reach the SSH server.
* '''VPN Access''': VPN access is required to reach the SSH server.
* '''Firmware and Auto Updates''': Enable automatic updates for both firmware and software.
* '''Firmware and Auto Updates''': Enable automatic updates for both firmware and software.
* '''Firewall''': Configure a firewall to control incoming and outgoing traffic.
* '''Firewall''': Configure a firewall to control incoming and outgoing traffic.
* '''Regular Updates''': Ensure the server and all software are regularly updated.
* '''Regular Updates''': Ensure the server and all software are regularly updated.
* '''Split Disks''': Separate <code>/tmp</code> and <code>/var</code> partitions with <code>noexec</code> flag.
* '''Split Disks''': Separate ''/tmp'' and ''/var'' partitions with ''noexec'' flag.
* '''Log Monitoring''': Regularly monitor server logs for suspicious activities.
* '''Log Monitoring''': Regularly monitor server logs for suspicious activities.
* '''Privilege Escalation Mitigation''': Use <code>sysctl</code> variables and kernel parameters to mitigate privilege escalation.
* '''Privilege Escalation Mitigation''': Use ''sysctl'' variables and kernel parameters to mitigate privilege escalation.
* '''Audit''': Regularly audit the server using tools like <code>rkhunter</code> and <code>debsecan</code>.
* '''Audit''': Regularly audit the server using tools like ''rkhunter'' and ''debsecan''.
* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).
* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).


<span id="detailed-security-measures"></span>
=== Detailed Security Measures ===
=== Detailed Security Measures ===


* '''Data Encryption''': Encrypt all data communication.
* '''Data Encryption''': Encrypt all data communication.
  1. Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.
** Use ''scp'', ''ssh'', ''rsync'', rclone or ''sftp'' for file transfer.
  2. Consider VPNs like OpenVPN or tinc for secure connections.
** Consider reverse proxy (tail scale, Cloudflare) or wireguard.
* '''Service Management''':
* '''Service Management''':
  1. Avoid using insecure services like FTP, Telnet, and Rsh.
** Avoid using insecure services like FTP, Telnet, and Rsh.
  2. Minimize installed software to reduce vulnerability.
** Minimize installed software to reduce vulnerability.
* '''Kernel and Software Updates''':
* '''Kernel and Software Updates''':
  1. Apply all security patches promptly.
** Apply all security patches promptly.
  2. Consider using tools like <code>apticron</code> for Debian-based systems.
*** Use an Ansible Script to patch multiple servers periodically including OS, docker, git, etc
* '''Linux Security Extensions''':
* '''Linux Security Extensions''':
  1. Enable SELinux or other security extensions to enforce limitations on applications.
** Enable SELinux or other security extensions to enforce limitations on applications.
* '''User Accounts and Password Policies''':
* '''User Accounts and Password Policies''':
  1. Enforce strong password policies.
** Enforce strong password policies.
  2. Use tools like <code>pam_cracklib</code> to enforce password strength.
** Use tools like ''pam_cracklib'' to enforce password strength.
  3. Set up password aging policies using <code>chage</code>.
** Set up password aging policies using ''chage''.
* '''Fail2ban''':
* '''Fail2ban''':
  1. Install and configure Fail2ban to block IP addresses after failed login attempts.
** Install and configure Fail2ban to block IP addresses after failed login attempts.
* '''Disable Unwanted Services''':
* '''Disable Unwanted Services''':
  1. Disable unnecessary services and daemons.
** Disable unnecessary services and daemons.
  2. Use <code>systemctl</code> to manage services on modern Linux distributions.
** Use ''systemctl'' to manage services on modern Linux distributions.
* '''Network Security''':
* '''Network Security''':
  1. Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.
** Use ''iptables'' or ''firewalld'' to manage firewall rules.
  2. Use tools like <code>nmap</code> to scan open ports.
** Use tools like ''nmap'' to scan open ports.
* '''File System Security''':
* '''File System Security''':
  1. Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).
** Separate critical file systems into different partitions with appropriate mount options (''noexec'', ''nodev'', ''nosuid'').
* '''Regular Backups''':
* '''Regular Backups''':
  1. Implement regular, encrypted backups to an offsite location.
** Implement regular, encrypted backups to an offsite location.
* '''Intrusion Detection Systems (IDS)''':
* '''Intrusion Detection Systems (IDS)''':
  1. Use tools like AIDE and RKHunter for host-based intrusion detection.
** Use tools like AIDE and RKHunter for host-based intrusion detection.
* '''Secure SSH Configuration''':
* '''Secure SSH Configuration''':
  1. Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring fail2ban).
** Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).
 
[[Category:Self-hosting]]
[[Category:Guides]]
[[Category:Server]]
[[Category:Network]]

Latest revision as of 04:05, 21 November 2024

Server Guides

Community Server Guides

Best Practices to Secure Servers in 2024

Source:

General Security Practices

  • No Root Login: Disable root login to enhance security.
  • SSH Keys with Password: Use SSH keys with a passphrase and disable password login.
  • VPN Access: VPN access is required to reach the SSH server.
  • Firmware and Auto Updates: Enable automatic updates for both firmware and software.
  • Firewall: Configure a firewall to control incoming and outgoing traffic.
  • Regular Updates: Ensure the server and all software are regularly updated.
  • Split Disks: Separate /tmp and /var partitions with noexec flag.
  • Log Monitoring: Regularly monitor server logs for suspicious activities.
  • Privilege Escalation Mitigation: Use sysctl variables and kernel parameters to mitigate privilege escalation.
  • Audit: Regularly audit the server using tools like rkhunter and debsecan.
  • Open Ports: Only open necessary ports (e.g., 80, 443, 22).

Detailed Security Measures

  • Data Encryption: Encrypt all data communication.
    • Use scp, ssh, rsync, rclone or sftp for file transfer.
    • Consider reverse proxy (tail scale, Cloudflare) or wireguard.
  • Service Management:
    • Avoid using insecure services like FTP, Telnet, and Rsh.
    • Minimize installed software to reduce vulnerability.
  • Kernel and Software Updates:
    • Apply all security patches promptly.
      • Use an Ansible Script to patch multiple servers periodically including OS, docker, git, etc
  • Linux Security Extensions:
    • Enable SELinux or other security extensions to enforce limitations on applications.
  • User Accounts and Password Policies:
    • Enforce strong password policies.
    • Use tools like pam_cracklib to enforce password strength.
    • Set up password aging policies using chage.
  • Fail2ban:
    • Install and configure Fail2ban to block IP addresses after failed login attempts.
  • Disable Unwanted Services:
    • Disable unnecessary services and daemons.
    • Use systemctl to manage services on modern Linux distributions.
  • Network Security:
    • Use iptables or firewalld to manage firewall rules.
    • Use tools like nmap to scan open ports.
  • File System Security:
    • Separate critical file systems into different partitions with appropriate mount options (noexec, nodev, nosuid).
  • Regular Backups:
    • Implement regular, encrypted backups to an offsite location.
  • Intrusion Detection Systems (IDS):
    • Use tools like AIDE and RKHunter for host-based intrusion detection.
  • Secure SSH Configuration:
    • Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).
Retrieved from "https://irregularpedia.org/index.php?title=Server_Guides&oldid=1354"