Server Guides: Difference between revisions
cats Tag: 2017 source edit |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
= Server Guides = | = Server Guides = | ||
== Community Server Guides == | == Community Server Guides == | ||
* [[matrix-server-guide|Matrix Server Guide]] | * [[matrix-server-guide|Matrix Server Guide]] | ||
* | ** Maubot Chatbot Guides | ||
* SimpleX Server | |||
* [[Service%20-%20storage%20-%20Nextcloud|Service - Storage - Nextcloud]] | * [[Service%20-%20storage%20-%20Nextcloud|Service - Storage - Nextcloud]] | ||
* [[Authentik%20Installation|Authentik Installation]] | * [[Authentik%20Installation|Authentik Installation]] | ||
* [[setting%20up%20cryptpad%20server|Setting Up Cryptpad Server]] | * [[setting%20up%20cryptpad%20server|Setting Up Cryptpad Server]] | ||
* Proxmox | * Proxmox | ||
* Clapper | |||
* [[Linux Server Initial Setup]] | |||
* [[Linux Server Storage]] | |||
== Best Practices to Secure Servers in 2024 == | == Best Practices to Secure Servers in 2024 == | ||
Line 20: | Line 21: | ||
* [https://www.cyberciti.biz/tips/linux-security.html Cyberciti Linux Security Tips] | * [https://www.cyberciti.biz/tips/linux-security.html Cyberciti Linux Security Tips] | ||
=== General Security Practices === | === General Security Practices === | ||
* '''No Root Login''': Disable root login to enhance security. | * '''No Root Login''': Disable root login to enhance security. | ||
* '''SSH Keys with Password''': Use SSH keys with a passphrase and disable password login. | * '''[[SSH Keys]] with Password''': Use SSH keys with a passphrase and disable password login. | ||
* '''VPN Access''': | * '''VPN Access''': VPN access is required to reach the SSH server. | ||
* '''Firmware and Auto Updates''': Enable automatic updates for both firmware and software. | * '''Firmware and Auto Updates''': Enable automatic updates for both firmware and software. | ||
* '''Firewall''': Configure a firewall to control incoming and outgoing traffic. | * '''Firewall''': Configure a firewall to control incoming and outgoing traffic. | ||
* '''Regular Updates''': Ensure the server and all software are regularly updated. | * '''Regular Updates''': Ensure the server and all software are regularly updated. | ||
* '''Split Disks''': Separate | * '''Split Disks''': Separate ''/tmp'' and ''/var'' partitions with ''noexec'' flag. | ||
* '''Log Monitoring''': Regularly monitor server logs for suspicious activities. | * '''Log Monitoring''': Regularly monitor server logs for suspicious activities. | ||
* '''Privilege Escalation Mitigation''': Use | * '''Privilege Escalation Mitigation''': Use ''sysctl'' variables and kernel parameters to mitigate privilege escalation. | ||
* '''Audit''': Regularly audit the server using tools like | * '''Audit''': Regularly audit the server using tools like ''rkhunter'' and ''debsecan''. | ||
* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22). | * '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22). | ||
=== Detailed Security Measures === | === Detailed Security Measures === | ||
* '''Data Encryption''': Encrypt all data communication. | * '''Data Encryption''': Encrypt all data communication. | ||
** Use ''scp'', ''ssh'', ''rsync'', rclone or ''sftp'' for file transfer. | |||
** Consider reverse proxy (tail scale, Cloudflare) or wireguard. | |||
* '''Service Management''': | * '''Service Management''': | ||
** Avoid using insecure services like FTP, Telnet, and Rsh. | |||
** Minimize installed software to reduce vulnerability. | |||
* '''Kernel and Software Updates''': | * '''Kernel and Software Updates''': | ||
** Apply all security patches promptly. | |||
*** Use an Ansible Script to patch multiple servers periodically including OS, docker, git, etc | |||
* '''Linux Security Extensions''': | * '''Linux Security Extensions''': | ||
** Enable SELinux or other security extensions to enforce limitations on applications. | |||
* '''User Accounts and Password Policies''': | * '''User Accounts and Password Policies''': | ||
** Enforce strong password policies. | |||
** Use tools like ''pam_cracklib'' to enforce password strength. | |||
** Set up password aging policies using ''chage''. | |||
* '''Fail2ban''': | * '''Fail2ban''': | ||
** Install and configure Fail2ban to block IP addresses after failed login attempts. | |||
* '''Disable Unwanted Services''': | * '''Disable Unwanted Services''': | ||
** Disable unnecessary services and daemons. | |||
** Use ''systemctl'' to manage services on modern Linux distributions. | |||
* '''Network Security''': | * '''Network Security''': | ||
** Use ''iptables'' or ''firewalld'' to manage firewall rules. | |||
** Use tools like ''nmap'' to scan open ports. | |||
* '''File System Security''': | * '''File System Security''': | ||
** Separate critical file systems into different partitions with appropriate mount options (''noexec'', ''nodev'', ''nosuid''). | |||
* '''Regular Backups''': | * '''Regular Backups''': | ||
** Implement regular, encrypted backups to an offsite location. | |||
* '''Intrusion Detection Systems (IDS)''': | * '''Intrusion Detection Systems (IDS)''': | ||
** Use tools like AIDE and RKHunter for host-based intrusion detection. | |||
* '''Secure SSH Configuration''': | * '''Secure SSH Configuration''': | ||
** Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban). | |||
[[Category:Self-hosting]] | [[Category:Self-hosting]] |
Latest revision as of 04:05, 21 November 2024
Server Guides
Community Server Guides
- Matrix Server Guide
- Maubot Chatbot Guides
- SimpleX Server
- Service - Storage - Nextcloud
- Authentik Installation
- Setting Up Cryptpad Server
- Proxmox
- Clapper
- Linux Server Initial Setup
- Linux Server Storage
Best Practices to Secure Servers in 2024
Source:
- Best practice to secure servers in 2024
- Madaidans Insecurities Linux Hardening Guide
- Cyberciti Linux Security Tips
General Security Practices
- No Root Login: Disable root login to enhance security.
- SSH Keys with Password: Use SSH keys with a passphrase and disable password login.
- VPN Access: VPN access is required to reach the SSH server.
- Firmware and Auto Updates: Enable automatic updates for both firmware and software.
- Firewall: Configure a firewall to control incoming and outgoing traffic.
- Regular Updates: Ensure the server and all software are regularly updated.
- Split Disks: Separate /tmp and /var partitions with noexec flag.
- Log Monitoring: Regularly monitor server logs for suspicious activities.
- Privilege Escalation Mitigation: Use sysctl variables and kernel parameters to mitigate privilege escalation.
- Audit: Regularly audit the server using tools like rkhunter and debsecan.
- Open Ports: Only open necessary ports (e.g., 80, 443, 22).
Detailed Security Measures
- Data Encryption: Encrypt all data communication.
- Use scp, ssh, rsync, rclone or sftp for file transfer.
- Consider reverse proxy (tail scale, Cloudflare) or wireguard.
- Service Management:
- Avoid using insecure services like FTP, Telnet, and Rsh.
- Minimize installed software to reduce vulnerability.
- Kernel and Software Updates:
- Apply all security patches promptly.
- Use an Ansible Script to patch multiple servers periodically including OS, docker, git, etc
- Apply all security patches promptly.
- Linux Security Extensions:
- Enable SELinux or other security extensions to enforce limitations on applications.
- User Accounts and Password Policies:
- Enforce strong password policies.
- Use tools like pam_cracklib to enforce password strength.
- Set up password aging policies using chage.
- Fail2ban:
- Install and configure Fail2ban to block IP addresses after failed login attempts.
- Disable Unwanted Services:
- Disable unnecessary services and daemons.
- Use systemctl to manage services on modern Linux distributions.
- Network Security:
- Use iptables or firewalld to manage firewall rules.
- Use tools like nmap to scan open ports.
- File System Security:
- Separate critical file systems into different partitions with appropriate mount options (noexec, nodev, nosuid).
- Regular Backups:
- Implement regular, encrypted backups to an offsite location.
- Intrusion Detection Systems (IDS):
- Use tools like AIDE and RKHunter for host-based intrusion detection.
- Secure SSH Configuration:
- Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).