Server Guides: Difference between revisions

From Irregularpedia
Jump to navigation Jump to search
Newer edit →
VisualWikitext
Initial
 
fixed formatting
Tag: wikieditor
Line 5: Line 5:
== Community Server Guides ==
== Community Server Guides ==


'' [[matrix-server-guide.md|Matrix Server Guide]]
* [[matrix-server-guide|Matrix Server Guide]]
'''' [[ssh-keys|Create SSH Keys]]
* [[ssh-keys|Create SSH Keys]]
'' [[Service%20-%20storage%20-%20Nextcloud.md|Service - Storage - Nextcloud]]
* [[Service%20-%20storage%20-%20Nextcloud|Service - Storage - Nextcloud]]
'' [[Authentik%20Installation.md|Authentik Installation]]
* [[Authentik%20Installation|Authentik Installation]]
'' [[setting%20up%20cryptpad%20server.md|Setting Up Cryptpad Server]]
* [[setting%20up%20cryptpad%20server|Setting Up Cryptpad Server]]


<span id="best-practices-to-secure-servers-in-2024"></span>
<span id="best-practices-to-secure-servers-in-2024"></span>
== Best Practices to Secure Servers in 2024 ==
== Best Practices to Secure Servers in 2024 ==


Source: - [https://www.reddit.com/r/linuxadmin/comments/1an0vqp/best_practice_to_secure_servers_in_2024/ Best practice to secure servers in 2024] - [https://madaidans-insecurities.github.io/guides/linux-hardening.html Madaidans Insecurities Linux Hardening Guide] - [https://www.cyberciti.biz/tips/linux-security.html Cyberciti Linux Security Tips]
Source:
* [https://www.reddit.com/r/linuxadmin/comments/1an0vqp/best_practice_to_secure_servers_in_2024/ Best practice to secure servers in 2024]
* [https://madaidans-insecurities.github.io/guides/linux-hardening.html Madaidans Insecurities Linux Hardening Guide]
* [https://www.cyberciti.biz/tips/linux-security.html Cyberciti Linux Security Tips]


<span id="general-security-practices"></span>
<span id="general-security-practices"></span>
=== General Security Practices ===
=== General Security Practices ===


= '''No Root Login''': Disable root login to enhance security. =
* '''No Root Login''': Disable root login to enhance security.
= '''SSH Keys with Password''': Use SSH keys with a passphrase and disable password login. =
* '''SSH Keys with Password''': Use SSH keys with a passphrase and disable password login.
= '''VPN Access''': Require VPN access to reach the SSH server. =
* '''VPN Access''': Require VPN access to reach the SSH server.
= '''Firmware and Auto Updates''': Enable automatic updates for both firmware and software. =
* '''Firmware and Auto Updates''': Enable automatic updates for both firmware and software.
= '''Firewall''': Configure a firewall to control incoming and outgoing traffic. =
* '''Firewall''': Configure a firewall to control incoming and outgoing traffic.
= '''Regular Updates''': Ensure the server and all software are regularly updated. =
* '''Regular Updates''': Ensure the server and all software are regularly updated.
= '''Split Disks''': Separate <code>/tmp</code> and <code>/var</code> partitions with <code>noexec</code> flag. =
* '''Split Disks''': Separate <code>/tmp</code> and <code>/var</code> partitions with <code>noexec</code> flag.
= '''Log Monitoring''': Regularly monitor server logs for suspicious activities. =
* '''Log Monitoring''': Regularly monitor server logs for suspicious activities.
= '''Privilege Escalation Mitigation''': Use <code>sysctl</code> variables and kernel parameters to mitigate privilege escalation. =
* '''Privilege Escalation Mitigation''': Use <code>sysctl</code> variables and kernel parameters to mitigate privilege escalation.
= '''Audit''': Regularly audit the server using tools like <code>rkhunter</code> and <code>debsecan</code>. =
* '''Audit''': Regularly audit the server using tools like <code>rkhunter</code> and <code>debsecan</code>.
= '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22). =
* '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).


<span id="detailed-security-measures"></span>
<span id="detailed-security-measures"></span>
=== Detailed Security Measures ===
=== Detailed Security Measures ===


= '''Data Encryption''': Encrypt all data communication. =
* '''Data Encryption''': Encrypt all data communication.
#'' Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.
  1. Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.
#'' Consider VPNs like OpenVPN or tinc for secure connections.
  2. Consider VPNs like OpenVPN or tinc for secure connections.
= '''Service Management''': =
* '''Service Management''':
#'' Avoid using insecure services like FTP, Telnet, and Rsh.
  1. Avoid using insecure services like FTP, Telnet, and Rsh.
#'' Minimize installed software to reduce vulnerability.
  2. Minimize installed software to reduce vulnerability.
= '''Kernel and Software Updates''': =
* '''Kernel and Software Updates''':
#'' Apply all security patches promptly.
  1. Apply all security patches promptly.
#'' Consider using tools like <code>apticron</code> for Debian-based systems.
  2. Consider using tools like <code>apticron</code> for Debian-based systems.
= '''Linux Security Extensions''': =
* '''Linux Security Extensions''':
#'' Enable SELinux or other security extensions to enforce limitations on applications.
  1. Enable SELinux or other security extensions to enforce limitations on applications.
= '''User Accounts and Password Policies''': =
* '''User Accounts and Password Policies''':
#'' Enforce strong password policies.
  1. Enforce strong password policies.
#'' Use tools like <code>pam_cracklib</code> to enforce password strength.
  2. Use tools like <code>pam_cracklib</code> to enforce password strength.
#'' Set up password aging policies using <code>chage</code>.
  3. Set up password aging policies using <code>chage</code>.
= '''Fail2ban''': =
* '''Fail2ban''':
#'' Install and configure Fail2ban to block IP addresses after failed login attempts.
  1. Install and configure Fail2ban to block IP addresses after failed login attempts.
= '''Disable Unwanted Services''': =
* '''Disable Unwanted Services''':
#'' Disable unnecessary services and daemons.
  1. Disable unnecessary services and daemons.
#'' Use <code>systemctl</code> to manage services on modern Linux distributions.
  2. Use <code>systemctl</code> to manage services on modern Linux distributions.
= '''Network Security''': =
* '''Network Security''':
#'' Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.
  1. Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.
#'' Use tools like <code>nmap</code> to scan open ports.
  2. Use tools like <code>nmap</code> to scan open ports.
= '''File System Security''': =
* '''File System Security''':
#'' Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).
  1. Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).
= '''Regular Backups''': =
* '''Regular Backups''':
#'' Implement regular, encrypted backups to an offsite location.
  1. Implement regular, encrypted backups to an offsite location.
= '''Intrusion Detection Systems (IDS)''': =
* '''Intrusion Detection Systems (IDS)''':
#'' Use tools like AIDE and RKHunter for host-based intrusion detection.
  1. Use tools like AIDE and RKHunter for host-based intrusion detection.
= '''Secure SSH Configuration''': =
* '''Secure SSH Configuration''':
#* Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring fail2ban).
  1. Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring fail2ban).

Revision as of 00:18, 10 September 2024

Server Guides

Community Server Guides

Best Practices to Secure Servers in 2024

Source:

General Security Practices

  • No Root Login: Disable root login to enhance security.
  • SSH Keys with Password: Use SSH keys with a passphrase and disable password login.
  • VPN Access: Require VPN access to reach the SSH server.
  • Firmware and Auto Updates: Enable automatic updates for both firmware and software.
  • Firewall: Configure a firewall to control incoming and outgoing traffic.
  • Regular Updates: Ensure the server and all software are regularly updated.
  • Split Disks: Separate /tmp and /var partitions with noexec flag.
  • Log Monitoring: Regularly monitor server logs for suspicious activities.
  • Privilege Escalation Mitigation: Use sysctl variables and kernel parameters to mitigate privilege escalation.
  • Audit: Regularly audit the server using tools like rkhunter and debsecan.
  • Open Ports: Only open necessary ports (e.g., 80, 443, 22).

Detailed Security Measures

  • Data Encryption: Encrypt all data communication.
 1. Use scp, ssh, rsync, or sftp for file transfer.
 2. Consider VPNs like OpenVPN or tinc for secure connections.
  • Service Management:
 1. Avoid using insecure services like FTP, Telnet, and Rsh.
 2. Minimize installed software to reduce vulnerability.
  • Kernel and Software Updates:
 1. Apply all security patches promptly.
 2. Consider using tools like apticron for Debian-based systems.
  • Linux Security Extensions:
 1. Enable SELinux or other security extensions to enforce limitations on applications.
  • User Accounts and Password Policies:
 1. Enforce strong password policies.
 2. Use tools like pam_cracklib to enforce password strength.
 3. Set up password aging policies using chage.
  • Fail2ban:
 1. Install and configure Fail2ban to block IP addresses after failed login attempts.
  • Disable Unwanted Services:
 1. Disable unnecessary services and daemons.
 2. Use systemctl to manage services on modern Linux distributions.
  • Network Security:
 1. Use iptables or firewalld to manage firewall rules.
 2. Use tools like nmap to scan open ports.
  • File System Security:
 1. Separate critical file systems into different partitions with appropriate mount options (noexec, nodev, nosuid).
  • Regular Backups:
 1. Implement regular, encrypted backups to an offsite location.
  • Intrusion Detection Systems (IDS):
 1. Use tools like AIDE and RKHunter for host-based intrusion detection.
  • Secure SSH Configuration:
 1. Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring fail2ban).
Retrieved from "https://irregularpedia.org/index.php?title=Server_Guides&oldid=285"