Server Guides: Difference between revisions

From Irregularpedia
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
formatting
Tag: 2017 source edit
format of code
Tag: 2017 source edit
Line 25: Line 25:
* '''Firewall''': Configure a firewall to control incoming and outgoing traffic.
* '''Firewall''': Configure a firewall to control incoming and outgoing traffic.
* '''Regular Updates''': Ensure the server and all software are regularly updated.
* '''Regular Updates''': Ensure the server and all software are regularly updated.
* '''Split Disks''': Separate <pre>/tmp</pre> and <pre>/var</pre> partitions with <pre>noexec</pre> flag.
* '''Split Disks''': Separate */tmp* and */var* partitions with *noexec* flag.
* '''Log Monitoring''': Regularly monitor server logs for suspicious activities.
* '''Log Monitoring''': Regularly monitor server logs for suspicious activities.
* '''Privilege Escalation Mitigation''': Use <pre>sysctl</pre> variables and kernel parameters to mitigate privilege escalation.
* '''Privilege Escalation Mitigation''': Use *sysctl* variables and kernel parameters to mitigate privilege escalation.
* '''Audit''': Regularly audit the server using tools like <pre>rkhunter</pre> and <pre>debsecan</pre>.
* '''Audit''': Regularly audit the server using tools like *rkhunter* and *debsecan*.
* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).
* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).


Line 34: Line 34:


* '''Data Encryption''': Encrypt all data communication.
* '''Data Encryption''': Encrypt all data communication.
** Use <pre>scp</pre>, <pre>ssh</pre>, <pre>rsync</pre>, or <pre>sftp</pre> for file transfer.
** Use *scp*, *ssh*, *rsync*, or *sftp* for file transfer.
** Consider VPNs like OpenVPN or tinc for secure connections.
** Consider VPNs like OpenVPN or tinc for secure connections.
* '''Service Management''':
* '''Service Management''':
Line 41: Line 41:
* '''Kernel and Software Updates''':
* '''Kernel and Software Updates''':
** Apply all security patches promptly.
** Apply all security patches promptly.
** Consider using tools like <pre>apticron</pre> for Debian-based systems.
** Consider using tools like *apticron* for Debian-based systems.
* '''Linux Security Extensions''':
* '''Linux Security Extensions''':
** Enable SELinux or other security extensions to enforce limitations on applications.
** Enable SELinux or other security extensions to enforce limitations on applications.
* '''User Accounts and Password Policies''':
* '''User Accounts and Password Policies''':
** Enforce strong password policies.
** Enforce strong password policies.
** Use tools like <pre>pam_cracklib</pre> to enforce password strength.
** Use tools like *pam_cracklib* to enforce password strength.
** Set up password aging policies using <pre>chage</pre>.
** Set up password aging policies using *chage*.
* '''Fail2ban''':
* '''Fail2ban''':
** Install and configure Fail2ban to block IP addresses after failed login attempts.
** Install and configure Fail2ban to block IP addresses after failed login attempts.
* '''Disable Unwanted Services''':
* '''Disable Unwanted Services''':
** Disable unnecessary services and daemons.
** Disable unnecessary services and daemons.
** Use <pre>systemctl</pre> to manage services on modern Linux distributions.
** Use *systemctl* to manage services on modern Linux distributions.
* '''Network Security''':
* '''Network Security''':
** Use <pre>iptables</pre> or <pre>firewalld</pre> to manage firewall rules.
** Use *iptables* or *firewalld* to manage firewall rules.
** Use tools like <pre>nmap</pre> to scan open ports.
** Use tools like *nmap* to scan open ports.
* '''File System Security''':
* '''File System Security''':
** Separate critical file systems into different partitions with appropriate mount options (<pre>noexec</pre>, <pre>nodev</pre>, <pre>nosuid</pre>).
** Separate critical file systems into different partitions with appropriate mount options (*noexec*, *nodev*, *nosuid*).
* '''Regular Backups''':
* '''Regular Backups''':
** Implement regular, encrypted backups to an offsite location.
** Implement regular, encrypted backups to an offsite location.

Revision as of 03:33, 21 November 2024

Server Guides

Community Server Guides

Best Practices to Secure Servers in 2024

Source:

General Security Practices

  • No Root Login: Disable root login to enhance security.
  • SSH Keys with Password: Use SSH keys with a passphrase and disable password login.
  • VPN Access: Require VPN access to reach the SSH server.
  • Firmware and Auto Updates: Enable automatic updates for both firmware and software.
  • Firewall: Configure a firewall to control incoming and outgoing traffic.
  • Regular Updates: Ensure the server and all software are regularly updated.
  • Split Disks: Separate */tmp* and */var* partitions with *noexec* flag.
  • Log Monitoring: Regularly monitor server logs for suspicious activities.
  • Privilege Escalation Mitigation: Use *sysctl* variables and kernel parameters to mitigate privilege escalation.
  • Audit: Regularly audit the server using tools like *rkhunter* and *debsecan*.
  • Open Ports: Only open necessary ports (e.g., 80, 443, 22).

Detailed Security Measures

  • Data Encryption: Encrypt all data communication.
    • Use *scp*, *ssh*, *rsync*, or *sftp* for file transfer.
    • Consider VPNs like OpenVPN or tinc for secure connections.
  • Service Management:
    • Avoid using insecure services like FTP, Telnet, and Rsh.
    • Minimize installed software to reduce vulnerability.
  • Kernel and Software Updates:
    • Apply all security patches promptly.
    • Consider using tools like *apticron* for Debian-based systems.
  • Linux Security Extensions:
    • Enable SELinux or other security extensions to enforce limitations on applications.
  • User Accounts and Password Policies:
    • Enforce strong password policies.
    • Use tools like *pam_cracklib* to enforce password strength.
    • Set up password aging policies using *chage*.
  • Fail2ban:
    • Install and configure Fail2ban to block IP addresses after failed login attempts.
  • Disable Unwanted Services:
    • Disable unnecessary services and daemons.
    • Use *systemctl* to manage services on modern Linux distributions.
  • Network Security:
    • Use *iptables* or *firewalld* to manage firewall rules.
    • Use tools like *nmap* to scan open ports.
  • File System Security:
    • Separate critical file systems into different partitions with appropriate mount options (*noexec*, *nodev*, *nosuid*).
  • Regular Backups:
    • Implement regular, encrypted backups to an offsite location.
  • Intrusion Detection Systems (IDS):
    • Use tools like AIDE and RKHunter for host-based intrusion detection.
  • Secure SSH Configuration:
    • Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).
Retrieved from "https://irregularpedia.org/index.php?title=Server_Guides&oldid=1342"