Revision as of 03:31, 21 November 2024

Server Guides

Community Server Guides

Best Practices to Secure Servers in 2024

Source:

General Security Practices

No Root Login: Disable root login to enhance security.
SSH Keys with Password: Use SSH keys with a passphrase and disable password login.
VPN Access: Require VPN access to reach the SSH server.
Firmware and Auto Updates: Enable automatic updates for both firmware and software.
Firewall: Configure a firewall to control incoming and outgoing traffic.
Regular Updates: Ensure the server and all software are regularly updated.
Split Disks: Separate
```
/tmp
```
and
```
/var
```
partitions with
```
noexec
```
flag.
Log Monitoring: Regularly monitor server logs for suspicious activities.
Privilege Escalation Mitigation: Use
```
sysctl
```
variables and kernel parameters to mitigate privilege escalation.
Audit: Regularly audit the server using tools like
```
rkhunter
```
and
```
debsecan
```
.
Open Ports: Only open necessary ports (e.g., 80, 443, 22).

Detailed Security Measures

Data Encryption: Encrypt all data communication.
- Use
```
scp
```
  ,
```
ssh
```
  ,
```
rsync
```
  , or
```
sftp
```
  for file transfer.
- Consider VPNs like OpenVPN or tinc for secure connections.
Service Management:
- Avoid using insecure services like FTP, Telnet, and Rsh.
- Minimize installed software to reduce vulnerability.
Kernel and Software Updates:
- Apply all security patches promptly.
- Consider using tools like
```
apticron
```
  for Debian-based systems.
Linux Security Extensions:
- Enable SELinux or other security extensions to enforce limitations on applications.
User Accounts and Password Policies:
- Enforce strong password policies.
- Use tools like
```
pam_cracklib
```
  to enforce password strength.
- Set up password aging policies using
```
chage
```
  .
Fail2ban:
- Install and configure Fail2ban to block IP addresses after failed login attempts.
Disable Unwanted Services:
- Disable unnecessary services and daemons.
- Use
```
systemctl
```
  to manage services on modern Linux distributions.
Network Security:
- Use
```
iptables
```
  or
```
firewalld
```
  to manage firewall rules.
- Use tools like
```
nmap
```
  to scan open ports.
File System Security:
- Separate critical file systems into different partitions with appropriate mount options (
```
noexec
```
  ,
```
nodev
```
  ,
```
nosuid
```
  ).
Regular Backups:
- Implement regular, encrypted backups to an offsite location.
Intrusion Detection Systems (IDS):
- Use tools like AIDE and RKHunter for host-based intrusion detection.
Secure SSH Configuration:
- Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).

@@ Line 25: / Line 25: @@
 * '''Firewall''': Configure a firewall to control incoming and outgoing traffic.
 * '''Regular Updates''': Ensure the server and all software are regularly updated.
-* '''Split Disks''': Separate <code>/tmp</code> and <code>/var</code> partitions with <code>noexec</code> flag.
+* '''Split Disks''': Separate <pre>/tmp</pre> and <pre>/var</pre> partitions with <pre>noexec</pre> flag.
 * '''Log Monitoring''': Regularly monitor server logs for suspicious activities.
-* '''Privilege Escalation Mitigation''': Use <code>sysctl</code> variables and kernel parameters to mitigate privilege escalation.
+* '''Privilege Escalation Mitigation''': Use <pre>sysctl</pre> variables and kernel parameters to mitigate privilege escalation.
-* '''Audit''': Regularly audit the server using tools like <code>rkhunter</code> and <code>debsecan</code>.
+* '''Audit''': Regularly audit the server using tools like <pre>rkhunter</pre> and <pre>debsecan</pre>.
 * '''Open Ports''': Only open necessary ports (e.g., 80, 443, 22).
@@ Line 34: / Line 34: @@
 * '''Data Encryption''': Encrypt all data communication.
-## Use <code>scp</code>, <code>ssh</code>, <code>rsync</code>, or <code>sftp</code> for file transfer.
+** Use <pre>scp</pre>, <pre>ssh</pre>, <pre>rsync</pre>, or <pre>sftp</pre> for file transfer.
-## Consider VPNs like OpenVPN or tinc for secure connections.
+** Consider VPNs like OpenVPN or tinc for secure connections.
 * '''Service Management''':
-## Avoid using insecure services like FTP, Telnet, and Rsh.
+** Avoid using insecure services like FTP, Telnet, and Rsh.
-## Minimize installed software to reduce vulnerability.
+** Minimize installed software to reduce vulnerability.
 * '''Kernel and Software Updates''':
-## Apply all security patches promptly.
+** Apply all security patches promptly.
-## Consider using tools like <code>apticron</code> for Debian-based systems.
+** Consider using tools like <pre>apticron</pre> for Debian-based systems.
 * '''Linux Security Extensions''':
-## Enable SELinux or other security extensions to enforce limitations on applications.
+** Enable SELinux or other security extensions to enforce limitations on applications.
 * '''User Accounts and Password Policies''':
-## Enforce strong password policies.
+** Enforce strong password policies.
-## Use tools like <code>pam_cracklib</code> to enforce password strength.
+** Use tools like <pre>pam_cracklib</pre> to enforce password strength.
-## Set up password aging policies using <code>chage</code>.
+** Set up password aging policies using <pre>chage</pre>.
 * '''Fail2ban''':
-## Install and configure Fail2ban to block IP addresses after failed login attempts.
+** Install and configure Fail2ban to block IP addresses after failed login attempts.
 * '''Disable Unwanted Services''':
-## Disable unnecessary services and daemons.
+** Disable unnecessary services and daemons.
-## Use <code>systemctl</code> to manage services on modern Linux distributions.
+** Use <pre>systemctl</pre> to manage services on modern Linux distributions.
 * '''Network Security''':
-## Use <code>iptables</code> or <code>firewalld</code> to manage firewall rules.
+** Use <pre>iptables</pre> or <pre>firewalld</pre> to manage firewall rules.
-## Use tools like <code>nmap</code> to scan open ports.
+** Use tools like <pre>nmap</pre> to scan open ports.
 * '''File System Security''':
-## Separate critical file systems into different partitions with appropriate mount options (<code>noexec</code>, <code>nodev</code>, <code>nosuid</code>).
+** Separate critical file systems into different partitions with appropriate mount options (<pre>noexec</pre>, <pre>nodev</pre>, <pre>nosuid</pre>).
 * '''Regular Backups''':
-## Implement regular, encrypted backups to an offsite location.
+** Implement regular, encrypted backups to an offsite location.
 * '''Intrusion Detection Systems (IDS)''':
-## Use tools like AIDE and RKHunter for host-based intrusion detection.
+** Use tools like AIDE and RKHunter for host-based intrusion detection.
 * '''Secure SSH Configuration''':
-## Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).
+** Configure SSH for maximum security (e.g., disabling root login, using SSH keys, configuring Fail2ban).
 [[Category:Self-hosting]]
 [[Category:Guides]]
 [[Category:Server]]
 [[Category:Network]]

Server Guides: Difference between revisions

Revision as of 03:31, 21 November 2024

Contents

Server Guides

Community Server Guides

Best Practices to Secure Servers in 2024

General Security Practices

Detailed Security Measures

Navigation menu

Server Guides: Difference between revisions

Revision as of 03:31, 21 November 2024

Server Guides

Community Server Guides

Best Practices to Secure Servers in 2024

General Security Practices

Detailed Security Measures

Navigation menu

Search